Using CA Embedded Entitlements Manager with an external directory server

Document ID : KB000095587
Last Modified Date : 14/05/2018
Show Technical Document Details
Introduction:
Most implementations that use CA Embedded Entitlements Manager (EEM) as the authentication and authorization server will be setup with an external directory server as it's user store. 
The larger majority of those will use Microsoft Active Directory as that external directory server.
This document will outline a couple modifications that can be done in the specific case that Active Directory is being used, and then a couple of generic modifications that will help with performance and response no matter the external directory server being used. 
Environment:
CA Applications that use CA Embedded Entitlements Manager and connect to an external directory server for the user store.
Instructions:
The first modifications are going to be the generic performance updates, and not specific to the use of Active Directory.

In the EEM UI, under Manage Access Policies, the functionality exists to create Dynamic User Group Policies (DUGs). More information specific to that can be found in the EEM documentation at docops.ca.com, but will not be delved into here.
These DUGs can use the external directory groups (global groups) as reference for inclusion in the DUG, but also application groups, users or other dynamic groups.. 
If your implementation has many global groups, parsing through this can cause sluggish performance. If your DUGs do not use global groups as reference, then a change that can be done is to tell EEM to not resolve nested groups at the Global level. 

To do this, log into EEM to the Global application as EiamAdmin.
Select the Configure tab, then select User Store, and then from the list on the left select Group Configuration. 
In the top section - Global Group Configuration - change the Group Resolution Level to Do not resolve groups. 
Save that change. 
Leave the Application Group Configuration section alone, no changes needed here.

The next of the generic modifications is an update to iGateway.
Open the igateway.conf file, which is located in the /SC/iTechnology/ folder.
Perform a search for "asynchronous". This should return a result on two lines - 50 and 79 - where you will see the following: 

<implementation>asynchronous</implementation> 

Remove the "a" so that both lines now read 

<implementation>synchronous</implementation> 

These updates will require a restart of the igateway service. If you have multiple EEM servers in a HA/Failover configuration, the change to the igateway.conf file must be done on all servers. 

The next modifications are very specific to using Microsoft Active Directory (MSAD) as your user store external directory.

The first thing is to verify that the MSAD server(s) you are using is setup as a Global Catalog. Verify this with your MSAD admin. MSAD requires  authentication requests to go through a Global Catalog (GC), either directly or that the Domain Controller (DC) has access to a GC. For EEM connections, it is best to connect directory to the GC.
Connecting to the GC requires the use of the GC port. By default, the non SSL port for the GC is 3268, and the SSL port is 3269. 
Update your port numbers accordingly. If you are connected to an MSAD server using 389, change the port to 3268 and save that change. 

Using the Global Catalog will result in increased response times for authentication requests. 

The second modification will be to enable paging of the MSAD queries by the EEM server.
To enable this, please open the server.xml file located at %EIAM_HOME%/config/server
Search for the word "paged". 
The result should show a line as the following:
<paged>false</paged>

Change false to true as:
<paged>true</paged>

Save the change.
If you make a copy of the file, please move this copy to a backup folder outside of the EEM installation folder structure as to not cause conflicts.
Again, if you have multiple EEM servers in a HA/Failover setup these change must be done on all servers.
Once the change has been saved, restart the igateway service.