Policy Server Installation Guide - Secloreproduct.seclore.com/updates/external/docs/ps... ·...
Transcript of Policy Server Installation Guide - Secloreproduct.seclore.com/updates/external/docs/ps... ·...
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
1
Policy Server Installation Guide
Ver 24280
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
2
Contents
1 Introduction 4
2 Preparing for Installation 4
21 System Configuration 4
22 Dependencies 4
23 Prerequisites 4
24 Creating Database Schema for Policy Server 5
25 Configuring Java for Policy Server 5
26 Configuring Tomcat for Policy Server 5
261 Updating Java Options for Tomcat 5
262 Customizing Tomcat Error Handling 6
263 AllowingRestricting Tomcat Manager Application 6
264 Copying Common Libraries 7
265 Configuring serverxml in Apache Tomcat 7
27 Disabling ProxyErrorOverride in Apache server 10
3 Setting Up and Configuring Policy Server 10
31 Adding Deployment Specific Buffer Files 10
32 License File 10
33 Consent File 10
34 Run Tomcat Service 11
35 Provide Configuration Details 11
36 Seclore Online Help 11
4 Configure BYOK (Bring Your Own Key) in Policy Server 11
5 Adoption Stats 12
6 Post Installation Configurations 12
7 Configuring Other Components 12
71 Lite Server 12
8 Uploading Customized Seclore Client Installers in Policy Server 12
9 Frequently Asked Questions 13
91 How do I acquire the Policy Server License 13
92 How do setup logger 13
93 How do I generate self-signed SSL certificate 13
94 How do I get a CA signed SSL certificate 14
95 How do I configure Windows Integrated Authentication for MSSQL 15
96 What is JNDI Connection Pooling 15
97 How do I configure Adoption Stats feature in Policy Server 15
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
3
98 How do I tune the system for higher performance 15
10 Resources 16
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
4
1 Introduction This guide provides information about the basic installation and setup of Policy Server components
Note
In case the Policy Server requires customizations refer to customization specific deployment documents after
Policy Server deployment
In case of adding one more Policy Server in the existing load balancing (HA) mode setup refer Add One More
Policy Server In HA ModePDF (Policy Server [Version]Installation DocsAdd Policy Server in HA ModeAdd
One More Policy Server In HA Modepdf)
2 Preparing for Installation The system configuration prerequisites and dependencies for the installation and configuration of Policy Server are
summarized in the sections below
21 System Configuration
Policy server deployment requires the following system configurations
RAM 2 GB or above
Hard Disk 40 GB or above
Operating System Windows Server 20122012 R220162019
Note
It is recommended that you place all Seclore components and other related installations (Java Tomcat Policy Server
SIM Site Server etc) in a folder named lsquoSeclorersquo in a non-OS drive like lsquoDSeclorersquo
lsquoltPOLICYSERVER_HOMEgtconfigreportingrsquo folder requires extra disk space for storing reporting index files
For everyone million file activities 500 MB additional disk space is required
22 Dependencies
The dependencies for the deployment of Policy Server are as follows
Database Ensure that MS SQL or Oracle database is properly installed The supported database are as
follows
o MS SQL 2008 2012 2014 2016 and 2017
o Oracle 12c 18c and 19c
o Note For multilingual support with Oracle database
o Policy Server supports internationalization and localization of data So for multilingual support
ensure that the database character set lsquoAL32UTFrsquo is correctly selected during installation of Oracle
database
Java Ensure that Open JDK 1101 is installed If not refer to Open JDK 11 Installation Guidepdf in the
References folder for the installation guidelines
Web Application Server Ensure that Apache Tomcat 9031 is installed If not refer to Tomcat 9
Installation Guidepdf in the References folder for the installation guidelines
23 Prerequisites
Ensure that the below prerequisites are met before you start with the Policy Server deployment
Java installation is successful
Tomcat installation is successful
SSL Certificate
o For production deployment valid SSL certificate is required Refer to How to get CA signed SSL
certificate
o For POCDemoUAT deployment a self-signed SSL certificate is enough Refer to How to generate
self-signed SSL certificate
Ensure that valid Policy Server License is available Refer to How do I acquire the Policy Server License
Policy Server Consent
o For production deployment a valid Policy Server Consent file is required This file can be generated
after an authorized person from the customer end accepts the license terms and conditions
o For POCDemoUAT deployment consent file is not required
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
5
Important Note Make sure that the Service account from which Tomcat is running has Full Permissions on PolicyServer
Folder
24 Creating Database Schema for Policy Server
Refer to Creating Database Schemapdf in the lsquoPolicy Server [Version]Installation DocsReferencesrsquo folder for
creating database schema for Policy Server
Note Screenshots are for representational purposes only Java and Tomcat versions must match those mentioned
in the steps
25 Configuring Java for Policy Server
Locate the JDK folder used by the Apache Tomcat server
1 Run Tomcat9exe from lsquoltTOMCAT_HOMEgtbinrsquo folder
2 Click on the Java tab and verify the JDK path from the lsquoJava Virtual Machinersquo field
26 Configuring Tomcat for Policy Server
Note Memory usage of Tomcat server is based on the concurrent requests for viewing files processed by the Policy
Server It is recommended to assign higher JVM memory to Tomcat for better performance of Policy Server Refer to
Tweaking Tomcat JVM Memorytxt in the Supplements folder for the detailed steps
261 Updating Java Options for Tomcat
1 Run lsquoltTOMCAT HOMEgtbinTomcat9wexersquo
2 Go to the Java tab
3 Configure the below configurations in the lsquoJava Optionsrsquo field
Java Option Description
-Dusertimezone=AsiaCalcutta To update the time zone information in
Tomcat For configuring different time
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
6
zones refer to Seclore Supported
Tmezonespdf in the References folder
-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to
configure Simple AD Repository in Policy
Server to connect with the Active
Directory If not this can be skipped Refer
to What is JNDI Connection Pooling For
further details
4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server
Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9
262 Customizing Tomcat Error Handling
1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure
Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory
2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo
3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat
Server
263 AllowingRestricting Tomcat Manager Application
By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any
user can access the application Users can reload any web application from the Tomcat manager It is highly
recommended to restrict Tomcat manager application in the production environment
Note To restart any web application restart the Tomcat server
To restrict the Tomcat Manager application
1 Take a backup of the following files
From ltTOMCAT_HOMEgtwebappsROOT folder
I indexjsp
II faviconico
From ltTOMCAT_HOMEgtwebapps
I docs
II examples
III host-manager
IV manager
2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager
Application folder
--add-opens=javabasejavanio=ALL-UNNAMED
--add-exports=javadesktopsunawtimage=ALL-UNNAMED
--add-exports=javadesktopsunawt=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED
--add-exports=javabasesunsecurityprovider=ALL-UNNAMED
--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED
--add-modules=jdkrmic
--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED
ltHost name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
2
Contents
1 Introduction 4
2 Preparing for Installation 4
21 System Configuration 4
22 Dependencies 4
23 Prerequisites 4
24 Creating Database Schema for Policy Server 5
25 Configuring Java for Policy Server 5
26 Configuring Tomcat for Policy Server 5
261 Updating Java Options for Tomcat 5
262 Customizing Tomcat Error Handling 6
263 AllowingRestricting Tomcat Manager Application 6
264 Copying Common Libraries 7
265 Configuring serverxml in Apache Tomcat 7
27 Disabling ProxyErrorOverride in Apache server 10
3 Setting Up and Configuring Policy Server 10
31 Adding Deployment Specific Buffer Files 10
32 License File 10
33 Consent File 10
34 Run Tomcat Service 11
35 Provide Configuration Details 11
36 Seclore Online Help 11
4 Configure BYOK (Bring Your Own Key) in Policy Server 11
5 Adoption Stats 12
6 Post Installation Configurations 12
7 Configuring Other Components 12
71 Lite Server 12
8 Uploading Customized Seclore Client Installers in Policy Server 12
9 Frequently Asked Questions 13
91 How do I acquire the Policy Server License 13
92 How do setup logger 13
93 How do I generate self-signed SSL certificate 13
94 How do I get a CA signed SSL certificate 14
95 How do I configure Windows Integrated Authentication for MSSQL 15
96 What is JNDI Connection Pooling 15
97 How do I configure Adoption Stats feature in Policy Server 15
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
3
98 How do I tune the system for higher performance 15
10 Resources 16
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
4
1 Introduction This guide provides information about the basic installation and setup of Policy Server components
Note
In case the Policy Server requires customizations refer to customization specific deployment documents after
Policy Server deployment
In case of adding one more Policy Server in the existing load balancing (HA) mode setup refer Add One More
Policy Server In HA ModePDF (Policy Server [Version]Installation DocsAdd Policy Server in HA ModeAdd
One More Policy Server In HA Modepdf)
2 Preparing for Installation The system configuration prerequisites and dependencies for the installation and configuration of Policy Server are
summarized in the sections below
21 System Configuration
Policy server deployment requires the following system configurations
RAM 2 GB or above
Hard Disk 40 GB or above
Operating System Windows Server 20122012 R220162019
Note
It is recommended that you place all Seclore components and other related installations (Java Tomcat Policy Server
SIM Site Server etc) in a folder named lsquoSeclorersquo in a non-OS drive like lsquoDSeclorersquo
lsquoltPOLICYSERVER_HOMEgtconfigreportingrsquo folder requires extra disk space for storing reporting index files
For everyone million file activities 500 MB additional disk space is required
22 Dependencies
The dependencies for the deployment of Policy Server are as follows
Database Ensure that MS SQL or Oracle database is properly installed The supported database are as
follows
o MS SQL 2008 2012 2014 2016 and 2017
o Oracle 12c 18c and 19c
o Note For multilingual support with Oracle database
o Policy Server supports internationalization and localization of data So for multilingual support
ensure that the database character set lsquoAL32UTFrsquo is correctly selected during installation of Oracle
database
Java Ensure that Open JDK 1101 is installed If not refer to Open JDK 11 Installation Guidepdf in the
References folder for the installation guidelines
Web Application Server Ensure that Apache Tomcat 9031 is installed If not refer to Tomcat 9
Installation Guidepdf in the References folder for the installation guidelines
23 Prerequisites
Ensure that the below prerequisites are met before you start with the Policy Server deployment
Java installation is successful
Tomcat installation is successful
SSL Certificate
o For production deployment valid SSL certificate is required Refer to How to get CA signed SSL
certificate
o For POCDemoUAT deployment a self-signed SSL certificate is enough Refer to How to generate
self-signed SSL certificate
Ensure that valid Policy Server License is available Refer to How do I acquire the Policy Server License
Policy Server Consent
o For production deployment a valid Policy Server Consent file is required This file can be generated
after an authorized person from the customer end accepts the license terms and conditions
o For POCDemoUAT deployment consent file is not required
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
5
Important Note Make sure that the Service account from which Tomcat is running has Full Permissions on PolicyServer
Folder
24 Creating Database Schema for Policy Server
Refer to Creating Database Schemapdf in the lsquoPolicy Server [Version]Installation DocsReferencesrsquo folder for
creating database schema for Policy Server
Note Screenshots are for representational purposes only Java and Tomcat versions must match those mentioned
in the steps
25 Configuring Java for Policy Server
Locate the JDK folder used by the Apache Tomcat server
1 Run Tomcat9exe from lsquoltTOMCAT_HOMEgtbinrsquo folder
2 Click on the Java tab and verify the JDK path from the lsquoJava Virtual Machinersquo field
26 Configuring Tomcat for Policy Server
Note Memory usage of Tomcat server is based on the concurrent requests for viewing files processed by the Policy
Server It is recommended to assign higher JVM memory to Tomcat for better performance of Policy Server Refer to
Tweaking Tomcat JVM Memorytxt in the Supplements folder for the detailed steps
261 Updating Java Options for Tomcat
1 Run lsquoltTOMCAT HOMEgtbinTomcat9wexersquo
2 Go to the Java tab
3 Configure the below configurations in the lsquoJava Optionsrsquo field
Java Option Description
-Dusertimezone=AsiaCalcutta To update the time zone information in
Tomcat For configuring different time
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
6
zones refer to Seclore Supported
Tmezonespdf in the References folder
-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to
configure Simple AD Repository in Policy
Server to connect with the Active
Directory If not this can be skipped Refer
to What is JNDI Connection Pooling For
further details
4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server
Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9
262 Customizing Tomcat Error Handling
1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure
Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory
2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo
3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat
Server
263 AllowingRestricting Tomcat Manager Application
By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any
user can access the application Users can reload any web application from the Tomcat manager It is highly
recommended to restrict Tomcat manager application in the production environment
Note To restart any web application restart the Tomcat server
To restrict the Tomcat Manager application
1 Take a backup of the following files
From ltTOMCAT_HOMEgtwebappsROOT folder
I indexjsp
II faviconico
From ltTOMCAT_HOMEgtwebapps
I docs
II examples
III host-manager
IV manager
2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager
Application folder
--add-opens=javabasejavanio=ALL-UNNAMED
--add-exports=javadesktopsunawtimage=ALL-UNNAMED
--add-exports=javadesktopsunawt=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED
--add-exports=javabasesunsecurityprovider=ALL-UNNAMED
--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED
--add-modules=jdkrmic
--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED
ltHost name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
3
98 How do I tune the system for higher performance 15
10 Resources 16
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
4
1 Introduction This guide provides information about the basic installation and setup of Policy Server components
Note
In case the Policy Server requires customizations refer to customization specific deployment documents after
Policy Server deployment
In case of adding one more Policy Server in the existing load balancing (HA) mode setup refer Add One More
Policy Server In HA ModePDF (Policy Server [Version]Installation DocsAdd Policy Server in HA ModeAdd
One More Policy Server In HA Modepdf)
2 Preparing for Installation The system configuration prerequisites and dependencies for the installation and configuration of Policy Server are
summarized in the sections below
21 System Configuration
Policy server deployment requires the following system configurations
RAM 2 GB or above
Hard Disk 40 GB or above
Operating System Windows Server 20122012 R220162019
Note
It is recommended that you place all Seclore components and other related installations (Java Tomcat Policy Server
SIM Site Server etc) in a folder named lsquoSeclorersquo in a non-OS drive like lsquoDSeclorersquo
lsquoltPOLICYSERVER_HOMEgtconfigreportingrsquo folder requires extra disk space for storing reporting index files
For everyone million file activities 500 MB additional disk space is required
22 Dependencies
The dependencies for the deployment of Policy Server are as follows
Database Ensure that MS SQL or Oracle database is properly installed The supported database are as
follows
o MS SQL 2008 2012 2014 2016 and 2017
o Oracle 12c 18c and 19c
o Note For multilingual support with Oracle database
o Policy Server supports internationalization and localization of data So for multilingual support
ensure that the database character set lsquoAL32UTFrsquo is correctly selected during installation of Oracle
database
Java Ensure that Open JDK 1101 is installed If not refer to Open JDK 11 Installation Guidepdf in the
References folder for the installation guidelines
Web Application Server Ensure that Apache Tomcat 9031 is installed If not refer to Tomcat 9
Installation Guidepdf in the References folder for the installation guidelines
23 Prerequisites
Ensure that the below prerequisites are met before you start with the Policy Server deployment
Java installation is successful
Tomcat installation is successful
SSL Certificate
o For production deployment valid SSL certificate is required Refer to How to get CA signed SSL
certificate
o For POCDemoUAT deployment a self-signed SSL certificate is enough Refer to How to generate
self-signed SSL certificate
Ensure that valid Policy Server License is available Refer to How do I acquire the Policy Server License
Policy Server Consent
o For production deployment a valid Policy Server Consent file is required This file can be generated
after an authorized person from the customer end accepts the license terms and conditions
o For POCDemoUAT deployment consent file is not required
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
5
Important Note Make sure that the Service account from which Tomcat is running has Full Permissions on PolicyServer
Folder
24 Creating Database Schema for Policy Server
Refer to Creating Database Schemapdf in the lsquoPolicy Server [Version]Installation DocsReferencesrsquo folder for
creating database schema for Policy Server
Note Screenshots are for representational purposes only Java and Tomcat versions must match those mentioned
in the steps
25 Configuring Java for Policy Server
Locate the JDK folder used by the Apache Tomcat server
1 Run Tomcat9exe from lsquoltTOMCAT_HOMEgtbinrsquo folder
2 Click on the Java tab and verify the JDK path from the lsquoJava Virtual Machinersquo field
26 Configuring Tomcat for Policy Server
Note Memory usage of Tomcat server is based on the concurrent requests for viewing files processed by the Policy
Server It is recommended to assign higher JVM memory to Tomcat for better performance of Policy Server Refer to
Tweaking Tomcat JVM Memorytxt in the Supplements folder for the detailed steps
261 Updating Java Options for Tomcat
1 Run lsquoltTOMCAT HOMEgtbinTomcat9wexersquo
2 Go to the Java tab
3 Configure the below configurations in the lsquoJava Optionsrsquo field
Java Option Description
-Dusertimezone=AsiaCalcutta To update the time zone information in
Tomcat For configuring different time
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
6
zones refer to Seclore Supported
Tmezonespdf in the References folder
-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to
configure Simple AD Repository in Policy
Server to connect with the Active
Directory If not this can be skipped Refer
to What is JNDI Connection Pooling For
further details
4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server
Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9
262 Customizing Tomcat Error Handling
1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure
Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory
2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo
3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat
Server
263 AllowingRestricting Tomcat Manager Application
By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any
user can access the application Users can reload any web application from the Tomcat manager It is highly
recommended to restrict Tomcat manager application in the production environment
Note To restart any web application restart the Tomcat server
To restrict the Tomcat Manager application
1 Take a backup of the following files
From ltTOMCAT_HOMEgtwebappsROOT folder
I indexjsp
II faviconico
From ltTOMCAT_HOMEgtwebapps
I docs
II examples
III host-manager
IV manager
2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager
Application folder
--add-opens=javabasejavanio=ALL-UNNAMED
--add-exports=javadesktopsunawtimage=ALL-UNNAMED
--add-exports=javadesktopsunawt=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED
--add-exports=javabasesunsecurityprovider=ALL-UNNAMED
--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED
--add-modules=jdkrmic
--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED
ltHost name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
4
1 Introduction This guide provides information about the basic installation and setup of Policy Server components
Note
In case the Policy Server requires customizations refer to customization specific deployment documents after
Policy Server deployment
In case of adding one more Policy Server in the existing load balancing (HA) mode setup refer Add One More
Policy Server In HA ModePDF (Policy Server [Version]Installation DocsAdd Policy Server in HA ModeAdd
One More Policy Server In HA Modepdf)
2 Preparing for Installation The system configuration prerequisites and dependencies for the installation and configuration of Policy Server are
summarized in the sections below
21 System Configuration
Policy server deployment requires the following system configurations
RAM 2 GB or above
Hard Disk 40 GB or above
Operating System Windows Server 20122012 R220162019
Note
It is recommended that you place all Seclore components and other related installations (Java Tomcat Policy Server
SIM Site Server etc) in a folder named lsquoSeclorersquo in a non-OS drive like lsquoDSeclorersquo
lsquoltPOLICYSERVER_HOMEgtconfigreportingrsquo folder requires extra disk space for storing reporting index files
For everyone million file activities 500 MB additional disk space is required
22 Dependencies
The dependencies for the deployment of Policy Server are as follows
Database Ensure that MS SQL or Oracle database is properly installed The supported database are as
follows
o MS SQL 2008 2012 2014 2016 and 2017
o Oracle 12c 18c and 19c
o Note For multilingual support with Oracle database
o Policy Server supports internationalization and localization of data So for multilingual support
ensure that the database character set lsquoAL32UTFrsquo is correctly selected during installation of Oracle
database
Java Ensure that Open JDK 1101 is installed If not refer to Open JDK 11 Installation Guidepdf in the
References folder for the installation guidelines
Web Application Server Ensure that Apache Tomcat 9031 is installed If not refer to Tomcat 9
Installation Guidepdf in the References folder for the installation guidelines
23 Prerequisites
Ensure that the below prerequisites are met before you start with the Policy Server deployment
Java installation is successful
Tomcat installation is successful
SSL Certificate
o For production deployment valid SSL certificate is required Refer to How to get CA signed SSL
certificate
o For POCDemoUAT deployment a self-signed SSL certificate is enough Refer to How to generate
self-signed SSL certificate
Ensure that valid Policy Server License is available Refer to How do I acquire the Policy Server License
Policy Server Consent
o For production deployment a valid Policy Server Consent file is required This file can be generated
after an authorized person from the customer end accepts the license terms and conditions
o For POCDemoUAT deployment consent file is not required
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
5
Important Note Make sure that the Service account from which Tomcat is running has Full Permissions on PolicyServer
Folder
24 Creating Database Schema for Policy Server
Refer to Creating Database Schemapdf in the lsquoPolicy Server [Version]Installation DocsReferencesrsquo folder for
creating database schema for Policy Server
Note Screenshots are for representational purposes only Java and Tomcat versions must match those mentioned
in the steps
25 Configuring Java for Policy Server
Locate the JDK folder used by the Apache Tomcat server
1 Run Tomcat9exe from lsquoltTOMCAT_HOMEgtbinrsquo folder
2 Click on the Java tab and verify the JDK path from the lsquoJava Virtual Machinersquo field
26 Configuring Tomcat for Policy Server
Note Memory usage of Tomcat server is based on the concurrent requests for viewing files processed by the Policy
Server It is recommended to assign higher JVM memory to Tomcat for better performance of Policy Server Refer to
Tweaking Tomcat JVM Memorytxt in the Supplements folder for the detailed steps
261 Updating Java Options for Tomcat
1 Run lsquoltTOMCAT HOMEgtbinTomcat9wexersquo
2 Go to the Java tab
3 Configure the below configurations in the lsquoJava Optionsrsquo field
Java Option Description
-Dusertimezone=AsiaCalcutta To update the time zone information in
Tomcat For configuring different time
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
6
zones refer to Seclore Supported
Tmezonespdf in the References folder
-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to
configure Simple AD Repository in Policy
Server to connect with the Active
Directory If not this can be skipped Refer
to What is JNDI Connection Pooling For
further details
4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server
Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9
262 Customizing Tomcat Error Handling
1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure
Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory
2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo
3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat
Server
263 AllowingRestricting Tomcat Manager Application
By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any
user can access the application Users can reload any web application from the Tomcat manager It is highly
recommended to restrict Tomcat manager application in the production environment
Note To restart any web application restart the Tomcat server
To restrict the Tomcat Manager application
1 Take a backup of the following files
From ltTOMCAT_HOMEgtwebappsROOT folder
I indexjsp
II faviconico
From ltTOMCAT_HOMEgtwebapps
I docs
II examples
III host-manager
IV manager
2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager
Application folder
--add-opens=javabasejavanio=ALL-UNNAMED
--add-exports=javadesktopsunawtimage=ALL-UNNAMED
--add-exports=javadesktopsunawt=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED
--add-exports=javabasesunsecurityprovider=ALL-UNNAMED
--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED
--add-modules=jdkrmic
--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED
ltHost name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
5
Important Note Make sure that the Service account from which Tomcat is running has Full Permissions on PolicyServer
Folder
24 Creating Database Schema for Policy Server
Refer to Creating Database Schemapdf in the lsquoPolicy Server [Version]Installation DocsReferencesrsquo folder for
creating database schema for Policy Server
Note Screenshots are for representational purposes only Java and Tomcat versions must match those mentioned
in the steps
25 Configuring Java for Policy Server
Locate the JDK folder used by the Apache Tomcat server
1 Run Tomcat9exe from lsquoltTOMCAT_HOMEgtbinrsquo folder
2 Click on the Java tab and verify the JDK path from the lsquoJava Virtual Machinersquo field
26 Configuring Tomcat for Policy Server
Note Memory usage of Tomcat server is based on the concurrent requests for viewing files processed by the Policy
Server It is recommended to assign higher JVM memory to Tomcat for better performance of Policy Server Refer to
Tweaking Tomcat JVM Memorytxt in the Supplements folder for the detailed steps
261 Updating Java Options for Tomcat
1 Run lsquoltTOMCAT HOMEgtbinTomcat9wexersquo
2 Go to the Java tab
3 Configure the below configurations in the lsquoJava Optionsrsquo field
Java Option Description
-Dusertimezone=AsiaCalcutta To update the time zone information in
Tomcat For configuring different time
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
6
zones refer to Seclore Supported
Tmezonespdf in the References folder
-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to
configure Simple AD Repository in Policy
Server to connect with the Active
Directory If not this can be skipped Refer
to What is JNDI Connection Pooling For
further details
4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server
Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9
262 Customizing Tomcat Error Handling
1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure
Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory
2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo
3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat
Server
263 AllowingRestricting Tomcat Manager Application
By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any
user can access the application Users can reload any web application from the Tomcat manager It is highly
recommended to restrict Tomcat manager application in the production environment
Note To restart any web application restart the Tomcat server
To restrict the Tomcat Manager application
1 Take a backup of the following files
From ltTOMCAT_HOMEgtwebappsROOT folder
I indexjsp
II faviconico
From ltTOMCAT_HOMEgtwebapps
I docs
II examples
III host-manager
IV manager
2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager
Application folder
--add-opens=javabasejavanio=ALL-UNNAMED
--add-exports=javadesktopsunawtimage=ALL-UNNAMED
--add-exports=javadesktopsunawt=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED
--add-exports=javabasesunsecurityprovider=ALL-UNNAMED
--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED
--add-modules=jdkrmic
--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED
ltHost name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
6
zones refer to Seclore Supported
Tmezonespdf in the References folder
-Dcomsunjndildapconnectpooltimeout=600000 This is required if you are planning to
configure Simple AD Repository in Policy
Server to connect with the Active
Directory If not this can be skipped Refer
to What is JNDI Connection Pooling For
further details
4 Configure the below configurations in the lsquoJava 9 Optionsrsquo field required by Seclore Policy Server
Note Do not update or delete the default lsquoJava 9 Optionsrsquo present in Tomcat 9
262 Customizing Tomcat Error Handling
1 Copy SecloreCustomErrorReportValvejar from the lsquoPolicy Server [Version]ToolsTomcatConfigure
Custom Error Pagesrsquo directory to the lsquoltTOMCAT_INSTALL_FOLDERgtlibrsquo directory
2 Open serverxml from lsquoltTOMCAT_INSTALL_FOLDERgtconfrsquo
3 Add the errorReportValveClass attribute inside the ltHosthellipgt tag to customize error handling for Tomcat
Server
263 AllowingRestricting Tomcat Manager Application
By default the manager application is enabled for Tomcat If the Tomcat manager application is enabled any
user can access the application Users can reload any web application from the Tomcat manager It is highly
recommended to restrict Tomcat manager application in the production environment
Note To restart any web application restart the Tomcat server
To restrict the Tomcat Manager application
1 Take a backup of the following files
From ltTOMCAT_HOMEgtwebappsROOT folder
I indexjsp
II faviconico
From ltTOMCAT_HOMEgtwebapps
I docs
II examples
III host-manager
IV manager
2 Overwrite indexjsp and faviconico from Policy Server [Version]ToolsTomcatBlock Manager
Application folder
--add-opens=javabasejavanio=ALL-UNNAMED
--add-exports=javadesktopsunawtimage=ALL-UNNAMED
--add-exports=javadesktopsunawt=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginsjpeg=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginspng=ALL-UNNAMED
--add-exports=javadesktopcomsunimageiopluginscommon=ALL-UNNAMED
--add-exports=javabasesunsecurityprovider=ALL-UNNAMED
--add-exports=javabasesunsecurityinternalspec=ALL-UNNAMED
--add-modules=jdkrmic
--add-exports=jdkrmicsuntoolsjavac=ALL-UNNAMED
ltHost name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
errorReportValveClass=comseclorefscustomerrorvalveSecloreCustomErrorReportValvegt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
7
3 Update the indexjsp page to enable any of the following options
Display blank page with security message
I Open the indexjsp file
II Uncomment the Block 1
III Provide the customized message
Display blank page with security message and Policy Server redirect URL
I Open the indexjsp file
II Uncomment the Block 2
III Please provide the customized message
IV Provide the application name in the anchor tag
Redirect to Policy Server
I Open the indexjsp file
II Uncomment the Block 3
III Provide the application name
4 Remove the following applications from the ltTOMCAT_HOMEgtwebapps folder
docs
examples
host-manager
manager
264 Copying Common Libraries
Copy the common library files from Policy Server[Version]ToolsCommon Libs to ltTOMCAT HOMEgtlib
265 Configuring serverxml in Apache Tomcat
The serverxml file is in the ltTOMCAT_HOMEgtconf folder
1 Comment the ltConnectorgt tag with port attribute as 8080 and 8009 by enclosing thee tags within lt--
--gt if these ports are not used by any other application
2 Add the configuration for the ltConnectorgt tag into the serverxml inside the ltService
name=rdquocatalinagt tag
Note
The keyAlias value is the name of the alias that you have entered while creating keystore
entry
The disableUploadTimeout is false for uploading larger files through the Lite Server
application
Check whether the port specified in the connector tag specified below is not used by any
other application
lt-- ltConnector port=8080 protocol=HTTP11 connectionTimeout=20000 redirectPort=8443 gt rarr lt-- ltConnector port=8009 protocol=AJP13 redirectPort=8443 gt --gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
8
Note Refer to SSL 30 Configurationtxt only to enable SSL 30 protocol for IE6 and other dependent DC
versions (24000 and older)
3 Add the configuration for AJP connector
Note
AJP connector is needed if Apache is available in front of the Policy Server
In an ideal scenario only one connector configuration must be available and the other
connector configurations removed
In the Apache the TTL configuration for balancer member should be 1200 to match
connectionTimeout and keepAliveTimeout In case the configuration is changed it should be
corrected on both the Apache reverse proxy and Tomcat server
Address attribute value should be the IP of tomcat server which is configure in the Apache
for proxy pass
requiredSecret attributes value should be the same as configured in Apaches policyserver
vhost file Refer secret keyword while configuring ajps balancemanager
ltConnector port=443 protocol = orgapachecoyotehttp11Http11Nio2Protocol keystoreFile=ABSOLUTE PATH OF THE KEY STORE FILE keyAlias = NAME_OF_KEYSTORE_ALIAS keystorePass=PASSWORD redirectPort=-1 maxHttpHeaderSize=16384 disableUploadTimeout=false connectionUploadTimeout=3600000 acceptCount=100 acceptorThreadCount=2 maxThreads=15000 maxConnections=-1 useServerCipherSuitesOrder=true scheme=https secure=true SSLEnabled=true clientAuth=false sslEnabledProtocols=TLSv1TLSv11TLSv12 URIEncoding=UTF-8 server=Seclore Server ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHAgt ltConnectorgt
ltConnector port=8009 protocol=AJP13
packetSize=16384 URIEncoding=UTF-8 connectionTimeout=1200000 keepAliveTimeout=1200000 maxConnections=-1 maxThreads=15000 address=127001 requiredSecret=YOUR_AJP_SECRET gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
9
4 Add the configuration for Policy Server within the ltHosthellipgt tag
Note docBase attribute should point to the Policy Server home folder For example DSeclorePolicy
Server
For MSSQL Database Server
Note Refer How toConfigure Windows Integrated Authentication for MSSQL to enable Windows
authentication for MSSQL Database Server
For ORACLE Database Server
Note Refer Policy Server [Version]ToolsTomcatDatabase Credentials EncryptionDatabase
Credentials Encryption Guidetxt to configure encrypted username and password for the database
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=commicrosoftsqlserverjdbcSQLServerDriver url=jdbcsqlserverDBSERVERNAMEPORTdatabaseName=DATABASENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select GETDATE()gt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
ltContext path=policyserver docBase=ABSOLUTE PATH OF POLICYSERVER HOME FOLDER gt ltValve className=orgapachecatalinavalvesRemoteIpValvegt ltValve className=orgapachecatalinaauthenticatorNonLoginAuthenticator disableProxyCaching=true securePagesWithPragma=false gt ltResource name=jdbcfilesecure auth=Container type=javaxsqlDataSource driverClassName=oraclejdbcdriverOracleDriver url=jdbcoraclethinDBSERVERNAMEPORTSERVICENAME username=USERNAME password=PASSWORD maxWaitMillis=5000 maxTotal=30000 removeAbandonedOnBorrow=true removeAbandonedTimeout=300 logAbandoned=true testOnBorrow=true validationQuery=select from dualgt ltManager className=orgapachecatalinasessionPersistentManager saveOnRestart=falsegt ltStore className=orgapachecatalinasessionFileStoregt ltManagergt ltContextgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
10
5 Add the configuration for RemoteIpValve inside the ltContexthellipgt tag
Note Refer to Policy Server[Version]Installation DocsSupplementsTomcat Valve Configuration for
Resolving Client IP Addressespdf for configuring RemoteValve in different server setups
27 Disabling ProxyErrorOverride in Apache server
Perform the following steps if your Policy Server is deployed behind an Apache server
1 Open the vhost file where Policy Serverrsquos proxypass is configured
2 Add following lines of code in it
3 Restart Apache server
3 Setting Up and Configuring Policy Server The Policy Server installation shipped in the PolicyServerzip requires some configuration settings Extract the contents
of the zipped folder from the Policy Server[Version]Web App folder to another folder You can name the new folder as
ltPOLICYSERVER_HOMEgt For example DSeclorePolicy ServIer
Follow the steps mentioned below to configure the Policy Server
31 Adding Deployment Specific Buffer Files
Deployment specific PDF buffer files are required if Seclore Lite Online is installed Copy the customer specific PDF
buffer files in the ltPOLICYSERVER_HOMEgtcustombufferfiles folder If the deployment if for a demo or POC
purpose and a default buffer file is needed then the buffer files can be copied from Policy
Server[Version]Installation Docs
32 License File
Place the Policy Server license file (PolicyServerlic) in the ltPOLICYSERVER_HOMEgtconfig folder
33 Consent File
Place the Policy Server Consent file (PolicyServerconsent) in the ltPOLICYSERVER_HOMEgtconfig folder
Note Http Header size is changed from default 8KB to 16KB This setting will be applicable for all apps running on that Tomcat If Tomcat is running on httphttps port
- Add lsquomaxHttpHeaderSizersquo attribute with value ldquo16384 to configured connector in ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8080 maxHttpHeaderSize=16384 protocol=HTTP11 gt
If Tomcat is running on AJP port - Add lsquopacketSizersquo attribute with value ldquo16384 to configured connector in
ltTOMCAT-HOMEgtconfserverxml eg ltConnector port=8009 protocol=AJP13 packetSize=16384 gt
When Tomcat is running behind Apache server Apache server will also need to be configured to accept 16KB header size requests
If TomcatApache is behind any Load Balancer (LB) please make sure it is configured
to accept 16KB header size requests
ltIf HTTP_ACCEPT =~ jsongt ProxyErrorOverride Off ltIfgt ltIf HTTP_ACCEPT =~ xmlgt ProxyErrorOverride Off ltIfgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
11
34 Run Tomcat Service
Configure a valid BYOK (Bring Your Own Key) Refer to Configure BYOK (Bring Your Own Key) in Policy Server Run the
Apache Tomcat 90 service to start the Policy Server
35 Provide Configuration Details
1 Access the POLICY_SERVER_APPLICATION_URLsysadmin
2 Log in using system administrator credentials The Manage Server Configuration page appears
3 Enter information such as Organization Name Application Name Application URL etc
4 Click Save
5 Restart Tomcat service
Note For any changes in the configuration you can access the Manage Server Configuration page from More gtgt
Configuration gtgt Manager Server Configuration on system administrator login
36 Seclore Online Help
Seclore Online Help are updated regularly to provide the latest information about Seclore components and their
functionalities
To configure Seclore Online Help
1 Get the latest Help Manuals from Seclore
2 Extract PolicyServerzip from this folder The extracted folder has the following structure
3 Copy the contents from the Policy Server folder to the ABSOLUTE PATH OF THE POLICYSERVER HOME FOLDER
4 Overwrite existing files and folders if prompted
Note
o Refer READMEtxt file provided with help manuals Detailed instructions for deploying help manuals are
mentioned in this file
o If the Online Help is not configured an error page will be displayed to the user on clicking the Help icon in
the Policy Server
4 Configure BYOK (Bring Your Own Key) in Policy Server Policy Server supports the following key management systems
o Seclore MDK (Default) To configure Seclore MDK in Policy Server refer to Policy Server
[Version]Installation DocsSupplementsSeclore MDK Configuration Guidetxt
o Thales Hardware Security Module (Thales HSM) To configure Thales HSM in Policy Server refer to
Policy Server [Version]Installation DocsSupplementsThales HSM Configuration Guidetxt
By default Seclore MDK is configured It is recommended to use Seclore MDK However you can disable it
Perform Following steps to disable the BYOK
PolicyServer portal pages
help
en
aportal
aum
eum
hag
sag
es
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
12
1 Open ltPOLICYSERVER_HOMEgtconfigMDKConfigxml
a Remove the entire ltmdk-configgt tag
b Only an empty ltmdk-configsgt tag should be present
Note BYOK is only configurable during the initial deployment Once the setup goes live the Configuration cannot
be altered
5 Adoption Stats Policy Server sends monthly and midmonth adoption statistics to productmetricsseclorecomon the 1st and the 16th
of every month This feature will be enabled by default To disable Adoption Stats refer to How to configure Adoption
Stats feature in Policy Server
Note This feature requires a valid consent file to be available
For Production deployment Adoption Stats will not be sent if valid consent file is not available
For POCDemoUAT deployment Adoption Stats will not be sent irrespective of the consent
6 Post Installation Configurations Policy Server homepage can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAMErdquo
For example ldquohttpsirmacmegroupcompolicyserverrdquo
System Admin login can be accessed using
ldquohttps[DOMAIN][PORT][POLICY_SERVER_APPLICATION_NAME]sysadminrdquo
For example ldquohttpsirmacmegroupcompolicyserversysadminrdquo
A System Administrator can provide configuration details configure repositories create Organization Unit
Admin (OU admin) Manage Enterprise Application etc
7 Configuring Other Components
71 Lite Server
Refer the installation guide in the Policy Server [Version]Installation DocsSupplementsLite Server Installation
Guidetxt folder for the Lite Server Application deployment
8 Uploading Customized Seclore Client Installers in Policy Server 1 Access the POLICY_SERVER_APPLICATION_URLsysadmin URL
2 Log in using System Admin credentials
3 Navigate to More gtgt Configuration gtgt Installer and Patch Management
4 Upload the installers of all the clients
5 After successful upload view the installer details in the Uploaded Installer and Patches section
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt lt-- Configure External Encryption Mechanism here --gt ltmdk-configgt ltadaptor-classgtcomsecloremdkadaptorcoreSecloreA2MDKAdaptorltadaptor-classgt ltmdk-configgt ltmdk-configsgt
ltxml version=10 encoding=UTF-8gt ltmdk-configsgt ltmdk-configsgt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
13
6 To verify the uploaded installer file click the download icon or installer file name
9 Frequently Asked Questions
91 How do I acquire the Policy Server License To acquire the license
1 Copy UserInfoexe from Policy Server [Version]License UtilityUserInfoexe to a folder on your hard disk
for example DSecloreLicense Utility
2 Run the UserInfoexe file on the machine where the policy server needs to be installed
The above step will generate an XML file which can be found in the DSecloreLicense Utility Send this file to the
supportseclorecom to get the license file
92 How do setup logger Logging for the Policy Server can be set in 4 different modes
Off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To change the logger setting open the ltPOLICYSERVER_HOMEgtconfiglog4j2xml file
REQUEST Logs all the requests sent by different client to Policy Server ltPOLICYSERVER_HOMEgtlogsRequestlog
DEBUG Logs all the processing steps for any request to be served ltPOLICYSERVER_HOMEgtlogsPolicyServerlog
SYNC Logs the steps while synchronizing different repositories ltPOLICYSERVER_HOMEgtlogsSynclog
Modify the following properties for different logger for different logging type
93 How do I generate self-signed SSL certificate To create the certificate file
1 Open command prompt
2 Enter details as shown below Change the current directory to the Seclore folder created earlier For example
DSeclore
Note
Note down the alias name and password These details are required while configuring the SSL key in
the serverxml file
For First and last name enter Fully Qualified Domain Name for Policy Server Domain For example
wwwyourdomaincom For a Wildcard Certificate this must begin with the character For example
yourdomaincom
Keystore password and key password for alias name are required for smooth functioning of the
Policy Server application
3 Enter the following command
Note ldquotomcatrdquo and ldquoacmegroupkeystorerdquo are placeholders Replace it with appropriate values before
executing the command
o keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -
keystore acmegroupkeystore
ltAsyncLogger name=REQUEST level=debugrdquo additivity=false gt
ltAsyncLogger name=DEBUG level=debugrdquo additivity=false gt
ltAsyncLogger name=SYNC level=debugrdquo additivity=false gt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
14
At the end of this activity an ldquoacmegroupkeystorerdquo file is created The keystore file is created in the directory pointed
by the command prompt while running the keytool command For example in the sample screens above the keystore
file is generated at DSeclore
Note This keystore file will be later referred in Tomcat serverxml configuration
94 How do I get a CA signed SSL certificate Note The words root inter tomcat and acmegroupkeystore are placeholders Replace them with appropriate
values before executing commands
To generate CSR (Certificate Signing Request) request and to import certificate
1 Generate keystore file Refer to How do I generate self-signed SSL certificate to get keystore file
2 To generate CSR from keystore file
a Use keytool to create the Certificate Signing Request (CSR) from your Keystore Enter the
following command in the command prompt
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
15
keytool -certreq -alias tomcat -file csrtxt -keystore acmegroupkeystore
b Type the keystore password set earlier and press EnterCSR file named csrtxt is now created in
current user directory
c Send the CSR to the vendor of the SSL certificate
Note Save the keystore file (eg acmegroupkeystore) as your certificates will be installed to it later
3 After receiving the certificates from the vendor import them into keystore
For Root Certificate keytool -import -trustcacerts -alias root -file rootcrt -keystore acmegroupkeystore
For Intermediate Certificate keytool -import -trustcacerts -alias inter -file intercrt -keystore
acmegroupkeystore
For Domain Certificate keytool -import -trustcacerts -alias tomcat -file mydomaincrt -keystore
acmegroupkeystore
95 How do I configure Windows Integrated Authentication for MSSQL To configure windows integrated authentication for MSSQL with JDBC driver follow the steps provided in the Policy
Server[Version]Installation DocsSupplementsWindows Authentication for databaseWindows Integrated
Authentication for MSSQLpdf file
96 What is JNDI Connection Pooling Policy Server uses JNDI connection pool to connect with Active Directory Domain controller There are different
parameters that can be configured for the connection pool Visit the following URL for details about the
connection pool parameters httpdownloadoraclecomjavasejnditutorialldapconnectconfightml
The default connection timeout at Active Directory Domain controller end is 15 minutes Seclore recommends
following parameter to be provided with Tomcat startup arguments
-Dcomsunjndildapconnectpooltimeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds) You can configure other parameters also according to the requirement of the deployment
To configure the startup parameter in Tomcat Server
1 The syntax to configure the parameter is -Dparam_name=param_value
2 Start the Tomcat8wexe from ltTOMCAT_HOMEgtbin directory
3 Go to the Java tab and in the Java Options field append the parameter name value pair For example
-Dcomsunjndildapconnectpooltimeout=600000
97 How do I configure Adoption Stats feature in Policy Server To disable or enable Adoption Stats feature execute the respective script in the database
For Disabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL disable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle disable adoption statssql
For Enabling Adoption stats
o MSSQL Database
Policy Server[Version]DB ScriptsPolicy ServerMS-SQLMS-SQL enable adoption statssql
o Oracle Database
Policy Server[Version]DB ScriptsPolicy ServerOracleOracle enable adoption statssql
98 How do I tune the system for higher performance For tuning the system to achieve higher performance follow the steps provided in the ldquoPolicy Server
[Version]Installation DocsReferencesTCP Socket Timeout ConfigurationTCP Socket Timeout Configurationtxtrdquo
file
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
16
10 Resources Below is the list of documents included with location
Document Description
Policy Server [Version]Installation Docs
Lite Server Installation Guidetxt Steps for Lite Server installation
Policy Server [Version]Installation DocsSupplements
Configuring SSO Using WebSEAL Junctiontxt Guidelines on configuring SSO in Policy Server using the
IBM Tivoli Access Manager WebSEAL SSO server
Connecting to AD over SSLtxt Steps to import SSL certificate in JVM for connection to
Active Directory (over SSL)
SIM repository Configurationpdf Steps to configure SIM Repository in Policy Server
Import Self-signed Certificate in Javatxt Steps to import self-signed certificate in Java Certificate
Trust Store
Tweaking Tomcat JVM Memorytxt Steps to configure JVM memory of the Tomcat
Tomcat Valve Configuration for Resolving Client
IP Adressespdf
Steps to configure RemoteIPValve in different server
environment setups
Thales HSM Configuration Guidetxt Steps to configure Thales HSM Policy Server
Google Authentication Configuration Guidepdf Steps to configure Google authentication in Policy Server
Azure Authentication Configuration Guidepdf Steps to configure Azure authentication in Policy Server
Seclore License Portal ndash User Manualpdf Steps to generate a valid PolicyServerconsent file
Seclore MDK Configuration Guidetxt Steps to configure Seclore MDK in Policy Server
SSL 30 Configurationtxt Steps to enabledisable SSL 30
GDPR Implementation Guidepdf Steps to implement GDPR in Policy Server
Policy Server [Version]Installation DocsSupplementsWindows Authentication for Database
Windows Integrated Auth MSSQLpdf Steps to configure Windows integrated authentication
for MSSQL
Policy Server [Version]Installation DocsSupplementsOutlook on the web Add-in Configuration
Outlook on the Web Add-in Configuration
Guidepdf
Steps to install and configure Outlook on the web Add-in
Policy Server
Policy Server [Version]Installation DocsReferences
Creating Database Schemapdf Steps to configure database and execute database script
for Policy Server
Open JDK 11 Installation Guidepdf Steps to install Open JDK 11 for Policy Server
Tomcat 9 Installation Guidepdf Steps to install Apache Tomcat 9 for Policy Server
Seclore Supported Timezonespdf List of timezones that can be configured in Tomcat Java
options
TCP Socket Timeout Configurationtxt Steps to configure tcpTimedWaitDelay
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners
lsquo
Policy Server Installation Guide V24260
Seclore Internal - Limited circulation only
17
This document is meant for training and informational purposes only and should not be distributed without permission The information in this
document is provided ldquoas-isrdquo without warranty of any kind and is subject to change without notice Seclore is not liable for any loss or damage
arising due to this information No part of this document may be reproduced in any form without the written consent of Seclore All logos and
trademarks are the properties of their respective owners