Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2017 > February
2017

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 25th October 2016 for your reference:

 

Javaoutofmemory error causing production outage
Secure proxy servers went unresponsive after logging java.lang.OutOfMemoryError:
Last Update: 2017-02-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1566556

Audit records for changes in WAMUI
audit records of who did what in the administrative console
Last Update: 2017-02-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1946731

Policy store fail back does not work properly.
When policy stores are deployed as redundancy, fail back does not work properly.
Last Update: 2017-02-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1991177

Actions are not registered in AgentType.
When I tried to register WebAgent actions in AdminUI, they are not displayed.
Last Update: 2017-02-07    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1764799

Product design of Agent Keys Roll Over
Question about Agent Keys roll over design.
Last Update: 2017-02-07    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1557106

What is the purpose of update query for Policy Store ?
Policy Server is executing update query for Policy Store at some interval.
Last Update: 2017-02-07    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1470324

How to authenticate user using multiple attribute beside password using HTML Form Auth Scheme
Collect Additional Attributes
Last Update: 2017-02-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1214858

What does the "0509-103 The module has an invalid magic number" error message mean?
The "0509-103 The module has an invalid magic number" error message means the is a bit level mismatch
Last Update: 2017-02-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1709415

Unable to activate Federation Partnership for Production
Federation was setup in lower environment and the XPSExport -xe and -xp was run to export. Production imports this and fails to display the partnership. New partnerships fail to activate and report there is existing one.
Last Update: 2017-02-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1754847

Key Management not exist in WAMUI
Didn't find Key management in admin UI under WAMUI - Administration - Policy server not exist
Last Update: 2017-02-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1998593

How to get 'Authentication' List in SSA\SOI Reports login screen (InfoView)
How to make the 'Authentication' List appear in SOI Reports infoview login screen
Last Update: 2017-02-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC560697

Enable SSL for the Agent for SharePoint 2013 - FIPS COMPAT/MIGRATE MODES Example
Steps to enable SSL for the Agent for SharePoint 2013 - Apache and TomCat front-ends.
Last Update: 2017-01-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC561406

APS Errors when attempting to process CGI programs CPW APSAdmin
Getting the following error as of now, I’m speculating that CGI execution can’t see SMCookie which is getting generated… “[SM-APS-15003] APS Administration Service must run under a Web Agent.”
Last Update: 2017-01-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1324148

Manually create the required Policy Store objects to protect the R12.52x Access Gateway ProxyUI with CA Single Sign On.
This article details the Policy Store Objects that are required to protect the R12.52x Access Gateway with CA Single Sign On should the automatic creation of these objects fail during with the Confiugration Wizard.
Last Update: 2017-01-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1648008

Cannot search objects in AdminUI based on their Description
This document explains a problem found in some releases to filter AdminUI results in a view by Description.
Last Update: 2017-01-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1166808

'No SAML2 SP Provider found' Error in Federation
Meaning of 'No SAML2 SP Provider found' Error in Federation, SAML2 transaction.
Last Update: 2017-01-24    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1689376

Apache reports "Permission Denied" to load the libmod_sm22.so or libmod_sm24.so module on SELinux.
Verify if SELinux security settings are preventing the Single Sign On Apache Web Agent from initializing.
Last Update: 2017-01-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC492202

Unable to resolve fully qualified host name. Exiting with HTTP 500 server error '00-0016'
How to resolve the "unable to resolve fully qualified host name" error by updating the ACO
Last Update: 2017-01-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1959852

High availability for Kerberos authentication
Kerberos auth scheme as documented points to a single policy server for service name a single point of failure
Last Update: 2017-01-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1213853

SPS installation error: Unable to install the Java Virtual Machine included with this installer.
When running the Installer for SPS via Command Line, after selecting the JDK install path, the installer shows an error about not being able to use the Java in the installer.
Last Update: 2017-01-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1483903

Weblogic ASA smreghost error: Failed to enable any clusters. Registration has failed.
ASA Agent failing to register new client to Policy Server.
Last Update: 2017-01-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1778783

Inquiry on Filtering
How can I setup Single sign-on (SSO) Policy server to NOT intercept traffic from winword.exe?
Last Update: 2017-01-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1341548

Configuration of policy server clustering
In use of policy server clustering, tell me about configuration of it.
Last Update: 2017-01-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1322203

What is SHSMP32.dll?
When Policy Server is started, SHSMP32.dll error is outputted on Windows Event Handler and Policy Server is unable to start.
Last Update: 2017-01-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1906367

Tips to integrate SSO (Siteminder) with IdentityMinder
How to Integrate CA SSO with CA Identity Manager example based on Documentation available. JDBC Data Source, Jboss , IIS, Siteminder Webagent, ISAPI Filters , Proxy
Last Update: 2017-01-19    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1594205

SiteMinder bind to User Directory fails partially with Error 49 - Invalid credentials
LDAP bind fails
Last Update: 2017-01-19    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC450811

Oracle Glassfish 3.0 : Error while starting domain
When installing Glassfish 3.0 as application server to configure the Oracle Directory Server console on Linux. Getting error on starting the domain created. Error due to bad JDK used.
Last Update: 2017-01-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1498397

12.52SP1CR05 - Policy Server core when using custom authentication scheme
There is a known issue with 12.52SP1CR05 when using custom auth scheme. Fixed in 12.52SP1CR06
Last Update: 2017-01-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1468698

Unable to locate parent for "CA.SM::SAMLv2IdP" object error
This document explains why this error can appear during an upgrade, and how to solve it.
Last Update: 2017-01-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1937741

Configuring the Web Agent, this one reports error : Unable to get key: 4301
This technote discusses about a specific error occuring when registring the Web Agent
Last Update: 2017-01-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1486506

Rule Actions are not set properly when creating a Rule with Perl CLI
This document explains why the Actions field could not work properly when creating a rule through Perl CLI, and how to solve it.
Last Update: 2017-01-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1731025

ServeletExec modules are still contained in Policy Server r12.6 unexpectedly.
This explains incorrect modules contained in PS 12.6.
Last Update: 2017-01-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1231149

CA Federation & Office 365 Integration: ObjectGUID as ImmutableID
This document explains CA Federation & Office 365 Integration: How to define ObjectGUID(binary attribute) as ImmutableID attribute in the Federation Partnership.
Last Update: 2017-01-12    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1782098

Impersonation using SDK.
Impersonation using SDK AgentAPI.login() call
Last Update: 2017-01-11    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC499241

Administrative UI installation fails
adminui reinstall install
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC548213

Is it supported to have Policy Server and AdminUI on different CR levels?
Policy server adminui crs
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC553533

Administrative UI registration is failing with "Unknown Error. Create Failed".
Adminui registering Unknown Error. Create Failed
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC556106

How to prevent ACS URL spoof in a Authnrequest
It is possible to insert a different Assertion Consumer Service URL into the SP authnrequest. How can this be prevented?
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1133703

Dynamically setting AuthnContextClassRef in the assertions
Dynamically setting AuthnContextClassRef in the assertions based upon the authentication scheme or authentication level that the SSO user authenticated with; currently the Assertion Generator API does not have that information exposed to it.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1354535

SMPS Error: "Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework."
500 Error during CA Federation & Office 365 Transaction. SMPS Error: "Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework."
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1880219

"Allow Protection Override" checkbook on the custom authentication-scheme.
Documentation(topic is, "custom-authentication-schemes") describes Allow Protection Override" checkbook on the authentication-scheme. This option specifies that the protection level in the library takes precedence over the protection level specified in t
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1674413

XSS Error in the browser, CA Federation & Office 365 Integration,
XSS Error in the browser, CA Federation & Office 365 Integration, as part of CA Federation and Office 365 integration when testing in Internet Explorer after authentication,
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1252731

Signed SP Initiated Request: Signature verification failing at 3rd party IDP
"Can not verify digital signature" error at 3rd party IDP when signature cannot be verified for a signed AuthNRequest or SAMLRequest from CA Federation.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1525465

AdminUI :: OutOfMemoryError
This technote discusses about a specific error on AdminUI and JBoss services. It gives the way to fix it.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC548400

Seeing AgentInstance errors after disabling Agent Discovery feature
This document explains why you can see AgentInstance object errors after disabling the Agent Disacovery feature and how to solve it.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1413935

What the max length of user's password which is possible to post?
Is there a limitation on the max length of user's password which for post requests ?
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC557679

WamUI :: JBoss : MyfacesConfig Error
This technote discusses about a specific error in the jboss adminui and it tells how to fix it.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC548322

Policy Server starting slow with ODSEE Policy Store
This document explains why a ODSEE Policy Store configured with the Policy Server Configuration Wizard could have performance issues and how to solve it.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1240905

ODSEE Policy Store : Error occurred during "SearchExt" for "(&(objectClass=xpsObject)(|(xpsCategory=2)(xpsCategory=3)))", text: Insufficient access
This document explains why this error appears on ODSEE Policy Stores when using non-Directory Manager users.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1553622

Session invalidated : cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA
This technote discusses about a specific error related to ciphers on SPS
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1346294

Accessing creds.ntc, I get in the browser the message "redirected too many times"
This technote discusses about a specific message seen in the browser when accessing the Windows Authentication Scheme.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1845552

What does the message "SMAUTHREASON parameter value is non-numeric" mean?
This technote discusses about the meaning of a specific Web Agent message in the Web Agent traces
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1674387

Is there an Agent on Nginx ?
This technote discusses about the possibilities to protect Nginx resources.
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1633341

LDAP Groups for SharePoint FBA Authorization.
This technote discusses about the scope of usage of LDAP Group with SharePoint Agent
Last Update: 2017-01-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC506698

Policy server secure ldap connection failure
SSLv3 not working on 12.52 SP2 policy server
Last Update: 2017-01-06    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1138708

How to monitor memory leaks on Windows using Perfmon.exe
Windows Perfmon To Profile Memory Leak
Last Update: 2017-01-05    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529361

We cannot disable Agent Discovery feature in Novell eDirectory Policy Store
This document describes a workaround on how to disable Agent Discovery feature in a Novell eDirectory Policy Store
Last Update: 2017-01-05    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1343336

How to Configure a "WebAgent-OnReject-Text" Response Attribute
how to configure the agent to get the text set by the "WebAgent-OnReject-Text" response
Last Update: 2017-01-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1856736

Console mode install (-i console) attempts to open X-windows
java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11GraphicsEnvironment
Last Update: 2017-01-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1445642

Policy Server Hung if LDAP User Directory is unresponsive/slowly performing
Hung policy server
Last Update: 2017-01-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1013829

How to configure Impersonation?
Steps by steps instructions on how to configure Impersonation and test
Last Update: 2017-01-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1055358

Websphere Application Server Agent Installed Files List
list of installed files by the Weblogic ASA
Last Update: 2016-12-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1230496

Weblogic Application Server Agent Installed Files List
list of installed files by the Weblogic ASA
Last Update: 2016-12-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1949179

Failed to Load Library Error
custom auth scheme failed to load
Last Update: 2016-12-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1312022

Convert an HTTP Header Response Attribute to Upper Case
A WebAgent-HTTP-Header-Variable is configured to return a user attribute from an LDAP user store. The attribute is stored in a mix of upper and lower case. The HTTP Header variable needs to be in upper case.
Last Update: 2016-12-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1832505

Running Policy Server, the statistics shows "Current Thread" value equal to "Max Thread" permanently
This technote discusses the values about threads in the Policy Server statistics lines
Last Update: 2016-12-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1749666

ASA Agent cannot start and report error "Unable to create configuration setup from the policy server"
This technote discusses cause and the solution of a specific error when starting ASA Agent
Last Update: 2016-12-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1975665

Siteminder Application Roles configuration to use specific value in a multivalued attribute for authorization
How to configure Siteminder to use a specific value in a multivalued attribute for authorization
Last Update: 2016-12-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1751423

12.6 XPSSweeper integrity check tool reports error that can not be fixed automatically.
When running the new 12.6 XPSSweeper integrity check tool, there could be some errors that can not be fixed automatically. Especially regarding CA.SM::SAMLv2IdP.Name / CA.SM::UserDirectory
Last Update: 2016-12-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1462638

SSO stopped working on HR website
The SSOs on our HR website stopped working in the morning of Sept. 3. The SSO uses R12.52 SPS server in DMZ and the R12.52 policy server as the back end server. When the issue occurred, we rebooted the SPS server only and then SSOs work again. I am uploading the logs for your the check. The error I found on policy server smtracedefault log is: [09/03/2016][08:34:12.961][08:34:12][2236][736][AssertionHandlerSAML20.java][postProcess][139957d9-9577ef13-371cdb48-06d3a404-255d77cc-8ac][][][][][][][][][][][][][][][][][][][][Start to wrap-up the SAML2.0 response.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [09/03/2016][08:34:12.961][08:34:12][2236][736][AuthnRequestProtocol.java][logAuditData][139957d9-9577ef13-371cdb48-06d3a404-255d77cc-8ac][][][][][][][][][][][][][][][][][][][][Error getting filling assertion audit data.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [09/03/2016][08:34:12.961][08:34:12][2236][736][AuthnRequestProtocol.java][closeupProcess][139957d9-9577ef13-371cdb48-06d3a404-255d77cc-8ac][][][][][][][][][][][][][][][][][][][][POST signing option: 0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [09/03/2016][08:34:12.961][08:34:12][2236][736][AuthnRequestProtocol.java][closeupProcess][139957d9-9577ef13-371cdb48-06d3a404-255d77cc-8ac][][][][][][][][][][][][][][][][][][][][The Response can not be parsed to XML document. Exception Message: The ID '_6d1107235ac34ad9ea4e242fecda21e52a7c' is not unique in this XML document][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [09/03/2016][08:34:12.961][08:34:12][2236][736][AssertionGenerator.java][invoke][139957d9-9577ef13-371cdb48-06d3a404-255d77cc-8ac][][][][][][][][][][][][][][][][][][][][AssertionHandler postProcess() failed. Leaving AssertionGenerator.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] Also from affwebserv log in SPS server, I found following errors : “Transaction with ID: 12eac848-fb750d7d-3db699a7-8de80982-f83b5fb1-fb8b failed” Please let me know what caused the SSO errors and why transaction ID is not unique. Again reboot of SPS server fixed the issue and we did not do anything to policy server at that time.
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1086918

ODBC Errors with Data Stores in MSSQL Server
ODBCAD32.exe: 'Test Connection' Error: [DataDirect][ODBC SQL Server Wire Protocol driver] Cannot load trust store. SMConsole Error Failure. Siteminder can not access the following data sources: : SM-DBU-00620. Error code -1063
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1507645

CA SSO/Siteminder Administrative User Interface (AdminUI) fails logon.
CA SSO/Siteminder Administrative User Interface (AdminUI) fails logon. "Error: Unable to process logins. Please contact your administrator."
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1297509

Issues renaming the Secure Proxy Server access log
We are trying to rename Secure Proxy server current access log to following format: accesslog.log, it was achieved by updating httpd.conf but an additional number is getting added to the filename like (accesslog.log.1448841600).
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1759004

SSL Errors with Data Stores in MSSQL Server
ODBCAD32.exe: 'Test Connection' Error: [DataDirect][ODBC SQL Server Wire Protocol driver] SSL required, but was not requested. SMConsole Error Failure. Siteminder can not access the following data sources: : SM-DBU-00620. Error code -1063
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1668077

SPS Server reports error "java.net.SocketException: Broken pipe"
This technotes discusses the possible cause of a specific error in SPS
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1468434

Policy Server :: HouseKeeping Thread LDAP Request : xpsCategory
This technote discusses the meaning of the xpsCategory class in Policy Server ldap searches.
Last Update: 2016-12-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1242723

When does the clock start for the request? Does it start when the reactor thread receives the request?
This question/answer below relates to the fact that the trace log can show a messages like CSm_Auth_Message::AnalyzeAgentAuthMessage that rarely take a long time to complete.
Last Update: 2016-12-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1018926

What could be one of the causes of the "TCP Message timed out" error? Can one of the causes be, the message stays in the queue for too long after SiteMinder receives it and it times out?
This question/answer below relates to the fact that the trace log can show a messages like CSm_Auth_Message::AnalyzeAgentAuthMessage that rarely take a long time to complete. At the same time you received a TCP timed out message, the CSm_Auth_Message
Last Update: 2016-12-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1863715

What could be one of the many causes of the "TCP Message timed out" message
The TCP time out and it's message is not the cause of the problem It is just the reflection of the problem
Last Update: 2016-12-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1293763

Policy Server :: Federation : SAML WCTX Parameter
This technote discusses the value that the WCTX parameter should have
Last Update: 2016-12-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC606703

Policy Server :: smps.log : Unable to establish administration context
This technote discusses about a specific error message in smps.log
Last Update: 2016-12-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC604281

When is AgentID.dat file created?
This document explains when and how the AgentID.dat file can be created
Last Update: 2016-12-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1697265

IWA authentication fails with a 403 Forbidden Error
After updating my IIS 7 web agents from 12.0 to 12.51 I can no longer get IWA to work properly, and get a 403 error
Last Update: 2016-12-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1095426

After upgrade of SiteMinder 12.52 from CR1 to CR5 wily stopped working
We recently applied CR5 patch to Policy Server CR12.52 CR1 on our Solaris servers. Policy server is working fine. But it is unable to load the wily library. We can clearly see this error message in the SMPS.Log. "Failed to initialize event handler"
Last Update: 2016-12-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1197262

Is there any limitation with CA Access gateway / SPS on Uploading/Downloading large files ?
When trying to upload/download large files with CA Access gateway / SPS, it fails if file size is more than 2 GB.
Last Update: 2016-12-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1201607

Webagent fail procesing FCC
When using Form authentication, webagent is failing on processing FCC. One of the reason could be a problem with the SMENC variable
Last Update: 2016-12-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1237162

Can't connect to CA DIRECTORY policystore
Problem switching policy stores from Oracle LDAP to CA Directory over SSL
Last Update: 2016-12-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1935395

AD Old Password Still Accepted
Old Active Directory user password still accepted
Last Update: 2016-12-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1080524

JVM Debugging in Policy server
How to debug JVM related error in Policy server
Last Update: 2016-12-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1608681

SM web agent LLAWP failed to initialized with Apache 2.4 on startup due to Semaphore issue
How to resolve Web Server/Web Agent startup issues and outages due to orphaned semaphores and shared memory segments
Last Update: 2016-12-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1063617

Multi-Master LDAP Policy Store Considerations
ldap multi-master admininstration
Last Update: 2016-12-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1528671

Does Agent for SharePoint support SSO Zones?
zones sharepoint session cookies
Last Update: 2016-12-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1179946

Search target="root" info="base, objectClass=*"
objectClass=* searches
Last Update: 2016-12-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC454675

SPS: Message: java.security.InvalidKeyException: Illegal key size
while testing SPS Oauth2 client with our internal Oauth Server. After receiving code from the browser, SPS returns 500 and dumps the error in the log. I can reproduce the issue any time by resubmitting same request to SPS.
Last Update: 2016-12-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1629539

Administrative UI :How to enable SSL Debug
Steps to enable SSL debugging on Admin UI JBoss
Last Update: 2016-12-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1712227

Administrative UI :How to increase the request time out
How to increase the request time out for the Admin UI request to Policy server
Last Update: 2016-12-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1609018

Administrative UI : Vulnerability : Lack of Cookie Attribute - Secure
The JSESSIONID cookie of Admin UI missing secure flag
Last Update: 2016-12-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1126443

Administrative UI : Vulnerability : Insufficient Session Expiration
Administrative UI session timeout very high
Last Update: 2016-12-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1662884

Datetime field overflow error occurred when call SQLExecute for Housekeeping Policy Data Read
DB2 upgrade from 9.7 to 10.5, An error occurred when calling "SQLExecute" for "Housekeeping Policy Data Read" query [ERROR][sm-xpsxps-00810] Native Diagnostic: 22008:0 [NS][ODBC DB2 Wire Protocol driver]Datetime field overflow. Error in parameter 1.
Last Update: 2016-12-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1147054

How to enable SM_USERGROUPS
SM_USERGROUPS
Last Update: 2016-12-11    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1868824

SP-Initiated POST request results in 400 Error
SP-Initiated POST request results in 400 Error: No SAMLRequest or SPID parameter in request to SAML2 Single Sign-On Service Ending SAML2 Single Sign-On Service request processing with HTTP error 400
Last Update: 2016-12-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1344266

Integrating CA Single Sign On (fka SiteMinder) with Oracle WebLogic with Oracle WebCenter 12 deployed
Oracle WebCenter requires the Subject to be signed with a WebLogic Principal, but the SiteMinder Authentication Provider signs the Subject with a SiteMinder Principal. How do I get CA Single Sign On to integrate when WebCenter 12 is deployed on WebLogic?
Last Update: 2016-12-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1856623

Maximum hours for Session Maximum Timeout, Idle Timeout, and Validation Period of Realms
The upper limit of Max Session Timeout, Idle Timeout, and Validation Period of Realms
Last Update: 2016-12-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1706646

How to configure the Single Sign On TAI so that the SiteMinder User can be located as a unique user within the WebSphere User Registry.
How to determine what Identity will be propagated to WebSphere by the Single Sign On TAI and used to query the WebSphere User Registry to obtain the UniqueUserID from the user's WebSphere User Registry attributes.
Last Update: 2016-12-07    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1364609

How to utilize an LDAP User Directory with a custom ObjecClass in a Single Sign On (fka SiteMinder) environment.
This article explains the sm.registry modifications required to utilize an LDAP User Directory that is configured with a custom ObjectClass for the users with the CA Single Sign On (fka SiteMinder) environment.
Last Update: 2016-12-05    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1297676

RSA Auth Scheme Configuration error
what are the requirements for RSA auth scheme configuration
Last Update: 2016-12-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1415752

Does updating the x509 with a different "issued to" certificate name keep the alias and all existing partnerships in place?
updating the x509 with a different "issued to" certificate name keep the alias and all existing partnerships in place?
Last Update: 2016-12-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1593171

Steps involved for update Policy Server encryption key
Steps need to do for change policy server encryption key
Last Update: 2016-12-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1795424

HTTP Error 503 when using Form Authentication with IIS 7.5
When using form authentication scheme, getting 503 error with IIS. When using basic, no problem. Need to check web.conf and preconditions.
Last Update: 2016-11-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1060401

How to configure X.509 Cert Authentication with CA Access Gateway
steps to configure X.509 Cert Authentication with CA Access Gateway
Last Update: 2016-11-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1135734

Web Agent Trace files are empty
Agent Logs and Traces are both configured. Both Agent Logs and Agent Traces are being created, however the Agent Trace files are empty.
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1363943

Singing algorithm is coming as SHA1 in Metadata export even though we select SHA256 in Entity/Partnership
The Singing algorithm is coming as SHA1 in Metadata export even though we select SHA256 in Entity/Partnership
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1744788

Changes on smpolicysrv stats
why smpolicysrv stats format have been changed from r12.52 sp1 cr05 onwards. Why Waits and Misses are removed from smpolicysrv stats? smpolicysrv –stats
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1814821

Federation SMPORTALURL vulnerability
Federation SMPORTALURL poses OpenRedirect Vulnerability
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1519514

AdminUI :: Certificate : Attribute Format
This technote discusses about Certificate format that can be used with the AdminUI
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC617304

Federation Manager :: Delegated Authentication Status : Session Timeout and Redirection to the Delegated Authentication Page
This technote discusses the usage of the "Track Delegated Authentication Status" feature for federation partnership
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1446194

Policy Server :: LDAP Group : Member Definitions
This technotes discusses about values that a LDAP Group can have
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC616945

AdminUI :: Error : The administrator directory could not be initialized
Trying to access the AdminUI running on Linux, I get 500 return code in the browser
Last Update: 2016-11-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1456355

Characters ";" and "=" are encoded in URL but not decoded on redirection to the target URL after authentication.
This article explains a compatibility issue between Web Agent r6 and r12.5x.
Last Update: 2016-11-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1788452

Missing registry entries
Few registry entries that used to exist in r12.0 is not available in 12.52Sp2
Last Update: 2016-11-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1264816

What is FlushObjCache registry used for
Flushing object cache
Last Update: 2016-11-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1956095

Unable to insert into audit database : String or binary data would be truncated
String or binary data would be truncated error is shown while inserting record into smobjlog4 table
Last Update: 2016-11-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1269524

When I try to change my password and it's refused, the page doesn't show the User-Friendly message (smpwservices.fcc)
This technote discusses about missing data when doing password change and the password isn't accepted
Last Update: 2016-11-25    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1736652

Exception trying to extract entities from metadata
We are having exception errors while importing entity metadata
Last Update: 2016-11-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1763376

Error when registering AdminUI and accessing for the 1st time
After installing and configuring the AdminUI properly and done the XPSRegclient for the registration. Error when trying to login to the AdminUI
Last Update: 2016-11-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1088134

IDP defaulting to different AssertionConsumerServiceURL
IDP defaulting to different AssertionConsumerServiceURL other than the one sent by SP
Last Update: 2016-11-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1912939

SPS Tuning on Linux
This technote discusses of some aspect of SPS tuning on Linux
Last Update: 2016-11-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1785241

Issues with KeyMarker: 4 while importing Agent keys
Why am i getting issues with KeyMarker: 4 while importing Agent keys
Last Update: 2016-11-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1786593

Changes made in Fed Object not reflected in CA Access Gateway / Secure Proxy Server
Sometimes making changes to the Federation Setup (ACS URLs), changes are not taken into account automatically by CA Access Gateway / Secure Proxy Server and need a complete restart.
Last Update: 2016-11-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1686988

Can not see user Groups in HTTP headers
In your application you may be interested in getting groups associated with a logged user. You can use the default Siteminder variables : %SM_USERGROUPS or %SM_USERNESTEDGROUPS
Last Update: 2016-11-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1726572

FSS UI Certificate Expired so not loading
FSS UI not loading up. It was working before
Last Update: 2016-11-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1896137

No error message when Agent Key Rollover is executed.
When customer construct PostgreSQL key store replication, he executed Agent Key rollover in AdminUI to read-only key store.
Last Update: 2016-11-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1819671

Policy Store can't fail back properly
Policy Server can't fail back to secondary store
Last Update: 2016-11-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1314005

Redirect Response with Auth/Az Web services
How does redirect response work with SPS Auth/Az Web services
Last Update: 2016-11-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1470994

Session Assurance stuck before target page where the request reaches /siteminderagent/redirect.sac
This document shows how to solve the situation where having Session Assurance enabled the request gets stuck when requesting redirect.sac file
Last Update: 2016-11-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1307516

Agent for SharePoint doesn't seem to handle Session Assurance ticket
This technote discusses about the use of Session Assurance with Agent for SharePoint
Last Update: 2016-11-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1460869

OneView Monitor cannot save new view settings
This document explains why this problem happens and how to solve it
Last Update: 2016-11-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1332975

Active Response Becomes Static Response
An active response becomes a static response when edited in the AdminUI more than three times.
Last Update: 2016-11-18    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1531208

How to append "@abc.com" to assertion attribute
I have an assertion attribute called EmployeeNumber but SP is accepting in below mentioned form. How to achive it? EmployeeNumber@abc.com Here we need to add "@abc.com" to the employee number.
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1433231

FSS UI password lost
This document tells how you can recover the passwords used to access FSS UI
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1587782

SPS Exceptions reported when trying to access any tab in the Proxy UI
Cannot access the ProxyUI tabs, and the logs reporting SPS Exceptions
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1807881

SPS Reporting Error After Install: Possible cause: architecture word width mismatch
architecture word width mismatch error reported in sps logs after installation
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1928075

How to disable SM_PROXYREQUEST HTTP header
This document clarifies if this HTTP header is sent or not by default by the Web Agent, and if it can be disabled and how.
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1721009

AdminUI is failing to establish trust with Policy Server
Failed to establish trust with the Policy Server
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1402986

Can we install Install patches on RedHat kernel where CA Access gateway is running ?
Part of System Administrator task is to get latest patches on the system. If OS is Supported we do certify last patches.
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1453254

Encrypted Active Response
How to send and consume encrypted active response
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1703842

How to enable and disable xtrace in policy server
Run xpsconfig for xtrace configuration
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1353959

How to Pre-fill username during step up authentication
In this guide we will see how to pre-fill the username field during second challenge in step up authentication
Last Update: 2016-11-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1030902

Is there a stand-alone Test Tool?
Test tool, SDK
Last Update: 2016-11-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1567605

Resolving an HTTP 405 (METHOD Not Allowed) error with IdentityIQ on a REST API FORM PostBack when the site is protected by CA Single Sign On (fka SiteMinder).
SailPoint Technologies Inc. IdentityIQ with AngularJS and XSRF/CSRF (Cross-Site Request Forgery) causes an HTTP 405 (METHOD Not Allowed) error on a REST API FORM PostBack when the site is protected by CA Single Sign On (fka SiteMinder).
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1498416

Web Agent rejects Third Party Token
Is there a setting for web agent that can convert a “Third Party Token” to a standard token after validation? unable to process SMSESSION
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1542117

Unable to execute ActiveExpression and getting java.util.MissingResourceException in profiler logs
[Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.assertiongenerator.AssertionGenerator -AssertionHandler:SAML20 basic:HomePlanBlueCrossCode=170|basic:HomePlanBlueShieldCode=670|basic:HostPlan=Blue Cross Blue Shield of Louisia
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1785387

AceInitialization failed for RSA Authentication
LogMessage:ERROR:[sm-LoginLogout-00850] SmAuthenticate: AceInitialization failed LogMessage:ERROR:[sm-Server-02960] Failed to initialize authentication scheme Cannot init Auth scheme. leave function
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1439437

# in URL / URI
Text after # in URL is not processed. Problem with # in URL with siteminder
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1759365

Web Agent :: Windows : Event ID Description
This technote discusses about the Event IDs for the Web Agent in Windows systems.
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC606992

Web Agent :: ACO : DisableDNSLookup Precisions
This technote discusses about a specific ACO parameter
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC612510

Policy Server :: ODBC Audit Logs : Timestamps
This technote discusses about timestamps in audit logs
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC613228

Policy Server :: ODBC : File not found '.odbcinst.ini'
This technote discusses about the ways to trouble shoot the error .odbcinst.ini
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC615853

Internationalization doesn't work in upgraded 12.52SP1 CA Single Sign-On environment.
This technote discusses about specific settings for localization in upgraded environment.
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1210489

Starting the Web Server, the Session Linker libraries cannot be loaded reporting an undefined symbol: ap_rputs
This technote discusses a specific error when integrating SessionLinker with Web Agent and Apache Web Server
Last Update: 2016-11-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1499565

Default HTTP Header for unprotected resources
This explains Default HTTP Header functionality for unprotected resources.
Last Update: 2016-11-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1420414

Getting the errors "Assert failed: Attr" and "Assert failed: Domain" when importing a Policy Store export with XPSImport
This document discusses the causes of this error message and in which ways this can be solved
Last Update: 2016-11-11    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1320082

Getting the error "Duplicate value for CA.SM::Realm.Name" when importing a Policy Store export with XPSImport
This document discusses the causes of this error message and in which ways we can solve this
Last Update: 2016-11-11    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1179514

How to configure extended ODBC traces on Windows 2012 ?
Having extented ODBC traces is useful to debug problem with ODBC components. Configure it on Windows 2012 is slight different than on 2003/2008.
Last Update: 2016-11-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1975861

Why is there some differences between JVMOptions.txt in Siteminder releases ?
The JVMOptions.txt file contains the settings that the Policy Server uses when creating the Java virtual machine. It can vary depending on version.
Last Update: 2016-11-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1906857

If you have already registered a WAMUI with a policy server, but want to register it against other policy servers
AdminUI WamUI register
Last Update: 2016-11-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1425033

The backend Web Server gives the unauthorized response instead of the Web Agent Reverse Proxy
This technote discusses about the configuration of the Apache Web Server when Web Agent is configured on it.
Last Update: 2016-11-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1052572

Policy Server cannot stop normally and shows "Using SIGKILL to stop the Policy Server"
This technote discusses the solution about a specific issue happening at the Policy Server shutdown on Unix / Linux
Last Update: 2016-11-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1921835

smkeyimport creates new four Agent Keys in the existing Key Store. This results in the duplicate set of Agent Keys.
This article explains a remark when running smkeyimport.
Last Update: 2016-11-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1673294

SiteMinder platform support matrix for all SiteMinder components
SiteMinder platform support matrix
Last Update: 2016-11-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC487209

SMSESSION Cookie for Unprotected Realm
This article explains SMSESSION cookie issuing function.
Last Update: 2016-11-07    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1819257

Max Connections for Apache 'event' MPM model
Apache Web Server is configured as event MPM model. In this case, what is the max connections from Web Agent to Policy Server calculated w/ using MaxSocketsPerPort?
Last Update: 2016-11-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1553236

IgnoreHost :: DefaultAgentName
This explains the requirement of IgnoreHost ACO parameter.
Last Update: 2016-11-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC511356

How to setup Facebook OAuth Federation Partnership
Facebook App integration Creating a Facebook developers account Creating a local, remote entities and the partnership using the client ID and secret provided by Facebook
Last Update: 2016-10-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1639764

Unable to run xpssecurity
xpssecurity is not recognized as an internal or external command, operable program or batch file.
Last Update: 2016-10-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1100582

Not enough temp space - installing Siteminder Administrative UI
CA Siteminder Administrative UI installer needs 31457228KB on the TEMP disk. There is only 1889272 KB on the TEMP disk. Cleanup the TEMP disk or move the files to any other location and relaunch the installer.
Last Update: 2016-10-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1952423

Is the ACO loaded from the smhost.conf or from the HCO ?
ACO loading process.
Last Update: 2016-10-25    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1678621

Configuring XPSSweeper to run on a Schedule
Automating XPSSweeper to run on a schedule.
Last Update: 2016-10-25    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1578712

 

 

Please note that you can always access the full list going to the following link:

CA Single Sign-On 

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Introduction:

In this guide we will see how to install and configure OpenLDAP as Policy Store.

Environment:

  • Policy Server: R12.52SP1, R12.52SP2,R12.51
  • Policy Store : OpenLDAP 2.4.4

Instructions

This guide will cover installing and configuring OpenLDAP as policy store right from the scratch.

So, for simpllicity, we will divide this into two broad category as follows. 

  1. Install and run OpenLDAP
  2. Configure OpenLDAP as Policy store

Note : If you already have an working OpenLDAP instance ,you can skip step A.

 

A. Install and run OpenLDAP

  • Download OpenLDAP version 2.4.x from OpenLDAP, Download 
  • Extract the openldap tar file
  • [root@lodbl511vm027 OpenLDAP]# tar -xvzf ./openldap-2.4.44.tgz
  • CD to the extracted folder
    [root@lodbl511vm027 OpenLDAP]# cd openldap-2.4.44
  • Execute configure command
    [root@lodbl511vm027 OpenLDAP]#./configure
  • Compile the source by executing make command
    [root@lodbl511vm027 OpenLDAP]# make
  • Install by executing make install command
    [root@lodbl511vm027 OpenLDAP]# make install
  • Open slapd.conf file and modify the database directives  as below :
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"

(Note : you can choose any suffix domain of your choice. The default root DN password is secret )

  • Start OpenLDAP server
  • Create a file named rootsuffix.ldif with following content:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: ExmapleCo

(Note : The DN that you specify here need to match the suffix in the slapd.conf file)

  • Import the rootsuffix.ldif file as below:

ldapadd -f ./rootsuffix.ldif -D "cn=Manager,dc=example,dc=com" -w secret

e.g.

[root@lodbl511vm027 OpenLDAP]# ldapadd -f ./rootsuffix.ldif -D "cn=Manager,dc=example,dc=com" -w secret
adding new entry "dc=example,dc=com"

  • Test the LDAP connectivity by configuring OpenLDAP server details in the Policy Server Management Console(This can also be done using any other LDAP browser like JXPlorer )

     

 

Few handy commands :

 

To start OpenLDAP:

[root@lodbl511vm027 openldap-2.4.44]# /usr/local/libexec/slapd

 

(Optional) Start OpenLDAP in debug mode :

To start OpenLDAP:
[root@lodbl511vm027 openldap-2.4.44]# /usr/local/libexec/slapd -d 1

 

To check if OpenLDAP is running :
[root@lodbl511vm027 openldap-2.4.44]# cat /usr/local/var/run/slapd.pid
30538

 

To Stop OpenLDAP:

kill -INT `cat /usr/local/var/run/slapd.pid`

 

Default OpenLDAP config file location : /usr/local/etc/openldap/slapd.conf

Default OpenLDAP schema folder location: /usr/local/etc/openldap/schema/

 

B. Configure OpenLDAP as Policy store

  • Stop OpenLDAP server
  • Specify the CA Single Sign-on Schema Files

Navigate to <siteminder_home>/db/tier2/OpenLDAP and copy the following files to the schema folder in the OpenLDAP installation directory:

openldap_attribute.schema

openldap_object.schema

 

Navigate to <siteminder_home>/xps/db/Tier2DirSupport/OpenLDAP and copy the following files to the schema folder in the OpenLDAP installation directory:
openldap_attribute_XPS.schema
openldap_object_XPS.schema

 

Then, add the following entries in the include section of the slapd.conf file:

# Specify the CA Single Sign-on Schema Files - START
include /usr/local/etc/openldap/schema/openldap_attribute.schema
include /usr/local/etc/openldap/schema/openldap_object.schema
include /usr/local/etc/openldap/schema/openldap_attribute_XPS.schema
include /usr/local/etc/openldap/schema/openldap_object_XPS.schema
# Specify the CA Single Sign-on Schema Files - END
  • Specify Policy Store Indexing

        Locate the following lines:

# Indices to maintain
index objectClass eq

 

Insert a new line in the file, and then add the following lines:

 

 

#Specify Policy Store Indexing START

index smAdminOID4 pres,eq
index smAuthDirOID4 pres,eq
index smAzDirOID4 pres,eq
index smcertmapOID4 pres,eq
index smIsRadius4 pres,eq
index smIsAffiliate4 pres,eq
index smParentRealmOID4 pres,eq
index smPasswordPolicyOID4 pres,eq
index smAgentGroupOID4 pres,eq
index smKeyManagementOID4 pres,eq
index smAgentOID4 pres,eq
index smAgentKeyOID4 pres,eq
index smRootConfigOID4 pres,eq
index smAGAgents4 pres,eq
index smDomainAdminOIDs4 pres,eq
index smDomainOID4 pres,eq
index smvariableoid5 pres,eq
index smNestedVariableOIDs5 pres,eq
index smvariabletypeoid5 pres,eq
index smActiveExprOID5 pres,eq
index smDomainUDs4 pres,eq
index smVariableOIDs5 pres,eq
index smusractiveexproid5 pres,eq
index smPropertyOID5 pres,eq
index smPropertySectionOID5 pres,eq
index smPropertyCollectionOID5 pres,eq
index smFilterClass4 pres,eq
index smTaggedStringOID5 pres,eq
index smNoMatch5 pres,eq
index smTrustedHostOID5 pres,eq
index smIs4xTrustedHost5 pres,eq
index smDomainMode5 pres,eq
# index smImsEnvironmentOIDs5 pres,eq
index smSecretRolloverEnabled6 pres,eq
index smSecretGenTime6 pres,eq
index smSecretUsedTime6 pres,eq
index smSharedSecretPolicyOID6 pres,eq
index smFilterPath4 pres,eq
index smPolicyLinkOID4 pres,eq
index smIPAddress4 pres,eq
index smRealmOID4 pres,eq
index smSelfRegOID4 pres,eq
index smAzUserDirOID4 pres,eq
index smResourceType4 pres,eq
index smResponseAttrOID4 pres,eq
index smResponseGroupOID4 pres,eq
index smResponseOID4 pres,eq
index smRGResponses4 pres,eq
index smRGRules4 pres,eq
index smRuleGroupOID4 pres,eq
index smRuleOID4 pres,eq
index smSchemeOID4 pres,eq
index smisTemplate4 pres,eq
index smisUsedbyAdmin4 pres,eq
index smSchemeType4 pres,eq
index smUserDirectoryOID4 pres,eq
index smODBCQueryOID4 pres,eq
index smUserPolicyOID4 pres,eq
index smAgentTypeAttrOID4 pres,eq
index smAgentTypeOID4 pres,eq
index smAgentTyperfcid4 pres,eq
index smAgentTypeType4 pres,eq
index smAgentCommandOID4 pres,eq
index smTimeStamp4 pres,eq
index smServerCommandOID4 pres,eq
index smAuthAzMapOID4 pres,eq
index xpsParameter pres,eq
index xpsValue pres,eq
index xpsNumber pres,eq
index xpsCategory pres,eq
index xpsGUID pres,eq
index xpsSortKey pres,eq
index xpsIndexedObject pres,eq

#Specify Policy Store Indexing END
  • Enable User Authentication

To enable user authentication add following:

# Enable User Authentication - START
access to attrs=userpassword by self write
access to attrs=userpassword by anonymous auth
access to attrs=userpassword by * none
# Enable User Authentication - END
  • Support Client-Side Sorting

To support client side sorting add following:

# Support Client-Side Sorting - START
access to * by users read by anonymous read
sizelimit 500
allow bind_v2
# Support Client-Side Sorting - END

 

  • Test the Configuration File 

Run following command to test the slapd.conf file for any misconfiguration:

/usr/local/libexec/slapd -Tt

  • Index Database

Run following command to index Database

slapindex -f /usr/local/etc/openldap/slapd.conf

  • Start OpenLDAP server
  • Create the Policy Store Database

Create a file named entities.ldif with following content:

#Netegrity, example.com
dn: ou=Netegrity,dc=example,dc=com
ou: Netegrity
objectClass: organizationalUnit
objectClass: top
# SiteMinder, Netegrity, example.com
dn: ou=SiteMinder,ou=Netegrity,dc=example,dc=com
ou: SiteMinder
objectClass: organizationalUnit
objectClass: top
# PolicySvr4, Netegrityr, CA, example.com
dn: ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc=example,dc=com
ou: PolicySvr4
objectClass: organizationalUnit
objectClass: top
# XPS, policysvr4, siteminder, Netegrity, example.com
dn: ou=XPS,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc=example,dc=com
ou: XPS
objectClass: organizationalUnit
objectClass: top

Import the entities.ldif file as below:

ldapadd -f ./entities.ldif -D "cn=Manager,dc=example,dc=com" -w secret

e.g.

 

  • Point the Policy Server to the Policy Store

Specify OpenLDAP server details and test the connectivity from Policy Server Management Console.

  • Set the CA Single Sign-On Super User Password

Run following command:

smreg -su password
  • Import the Policy Store Data Definitions

Run following command :

XPSDDInstall SmMaster.xdd

SmMaster.xdd is located at : <siteminder_home>\xps\dd folder

  • Import the Default Policy Store Objects

Run following command:

XPSImport smpolicy.xml -npass

SmPolicy.xml is located at : <siteminder_home>\db folder

  • Start Policy Server

References:

  1. Installing an OpenLDAP server | Linux.com | The source for Linux information 
  2. Configure OpenLDAP as a Policy Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Introduction

In this guide we will see how we can customize the OOTB login form to be able to accept more than the usual username and password attributes and be able to authenticate user using additional attributes.

Password however is mandatory attribute for authentication and can't be skipped.

This will be illustrated using HTML FORM authentication scheme and will not involve any custom authentication scheme

Environment

Policy Server : ANY Web Agent : ANY User Directory : ANY

Instructions

For illustration, let us assume that we need to be able to request user email address in the login FORM able to validate it during the authentication beside username and password.

Step 1. Modify the .fcc template file (login.fcc) to collect additional attribute

Add the following line at the beginning of the file:

@password=PASSWORD=%PASSWORD%&mail=%mail%

If the additional attributes have special characters, the line looks like the following sample:

@password=PASSWORD=%PASSWORD%&mail=%urlencode(mail)%

Where, 'mail' is the new attribute that you are configuring to collect from the user during login.

 

Also, create a new input text field for Email address as below:

 

<tr>

 <td WIDTH=20 > </td>

 <td ALIGN="LEFT" > 

   <b><font size=-1 face="arial,helvetica" > Email: </font></b>

 </td>

 <td ALIGN="LEFT" >

  <input type="text" name="mail" size="30" style="margin-left: 1px">

 </td>

 <td WIDTH=20 > </td>

</tr>

 

Let's save this as a new customlogin.fcc file.

 

Step 2.  Create a new authentication scheme of type HTLM FORM Template in the Administrative UI as below.

  • The name of the attribute in the HTML forms authentication scheme must match the name of the additional attribute in the .fcc file. For example, to add the attribute mail (as shown in step 1 ) to the authentication scheme, enter the string AL=PASSWORD,mail in the Additional Attributes List field.
  • The name of the additional attribute must match the name of the attribute in the user directory. This is VERY important because, here we are not just collecting the additional attribute from the user, but also validating if it matches with the user record in the user directory. So in this case, Policy server will actually validate if the email address provided matches the user record, if it doesn't match, the user will NOT be authenticated.

 

authscheme.jpg

 

Step 3 - Configure realm to use the new HTML FORM authentication scheme created in step 2.

Realm.jpg

 

 

Attachment:

customlogin.fcc

Testing:

 

CustomLogin.jpg

 

 

 

 

Additional Information

This tip describes testing the configuration for Agent Gateway/SPS setup that avoids the situation where one "bad" back-end server will stop all access requests via Agent Gateway even those to other working "good" back-end servers.

 

Testing the configuration from:

TechTip - Configure Agent Gateway/SPS to avoid one bad back-end taking down all AG/SPS traffic. 

 

In the video's here Agent Gateway version R12.6 was used, but the same result were obtained with testing earlier version SPS R12.52 Sp1.

 

 

04-Test Setup : 

This video walks through the VMWare machine test setup.  We have: a Frontend server with jmeter installed on it with test scripts for a "good" and "bad" backend server; we have an Agent Gateway/SPS machine forwarding the requests; and a backend web server with small test proxy program to simulate two backend servers and the ability to add a delay to the "bad" one.

 

 

05-Test Failure:

Here we show the test scripts, we have two instances of jmeter running, one running against the "good" site and one running against the "bad" site.   This test we show that with the default configuration when the "bad" backend server goes down, the Agent Gateway is blocked and we also can't access the other "good" backend server.  

 

06-Test Success:

Here we show the configuration changes, and then run the two jmeter test scripts.  We show that with the changed configuration when the "bad" backend server goes down, the Agent Gateway is not completely blocked and access to the "good" backend server still works correctly.

 

 

 

07 - Tools used : 

 

Header 1Header 2
JMeterhttp://jmeter.apache.org/ 
JMeter PluginsJMeter Plugins :: JMeter-Plugins.org 
Simulating down backendAny method of simulating (or even a real server) can be used to create the test scenario.   The java test tool I have used is attached below.
jmeter scripts. see jmeter-test-scripts.zip attachment at end of post. 

 

 

 

Cheers - Mark

The short version (executive summary): 

Agent Gateway is CA product formerly known as Secure Proxy Server, for the purpose of this article, I'll refer to it as Agent Gateway or Ag for short. 


When one back-end sever for Agent Gateway goes down, all of the connections pool entries and worker threads are clogged up with transactions for the one down (or v slow) "bad" back-end server.  Other requests destined for other "good" working back-end are also held up and do not get processed.  The effect is the one "bad" back-end server tends to drive the whole Agent Gateway offline and it is unable to process any requests. 

 

The solution is: to give a fixed max size to the back-end connection pool; the fixed max size has to be less than the max available worker threads; and to give a quick timeout for any request trying to get a back-end connection beyond that thread pool size.   Then when one back-end server fails, it does hog worker threads, but only up to the limit of the connection pool size, and importantly it leaves the remaining threads free to handle requests to non-hung backend servers. 

 

The settings to change server.conf are from: 

# http_connection_pool_max_size="420"

# http_connection_pool_wait_timeout="0"

to:

http_connection_pool_max_size="100"  # (max pool of 100)

http_connection_pool_wait_timeout="200" # (timeout if pool size already over 100 of 200ms)

 

The longer version :

1. Background.

 

Because Agent Gateway acts as a proxy, is holds onto the connection from the front end (client) while it sends the request to the back-end server to be processed.  For a working back-end system the response time is  generally fairly quick and the number of connections/worker threads needed to maintain throughput is minimal.

 

So for example, as in the diagram below:

 

If we have requirement for 100 request/sec, and the back-end response time is 200ms, then the bandwidth in connection/threads we will need is to be able to handle about 20 requests in parallel.   So we will need: 20 httpd worker threads in apache; 20 connections via mod_jk from apache to tomcat; 20 worker threads in tomcat; and 20 connections to the back-end server.  Note the SPS is mostly not doing any activity, rather of the elapsed 200ms most of the time the threads are inactive waiting for the response from the back-end server.   

 

However if the back-end sever performance slows down, so rather than 200ms each transaction takes 2sec, Then the amount of in-progress transactions that Ag will have open at one time will increase.  That would be 100 trans/sec x 2sec = 200 open transactions.  So now we need a bandwidth of:  200 connection pool sizes; 200 thread pool size etc, for each component.  Obviously if the back-end server goes even slower then the pool/thread sizes requirements continue to increase.  

 

 

 

Ultimately if we get to a stage where the back-end server is down, then for the original 200 request/sec load, then (with the default settings, of a 60sec timeout and a 3x retry) we are faced with each transaction taking 180sec before it sends it's failure response back to the client. 

 

Under those conditions the connection/thread pools sizes that we would need is 18,000.  So we would need: 18,000 httpd threads; 18,000 connections from clients to httpd; from apache via mod_jk to tomcat, tomcat threads and from tomcat to the back-end. 

 

Obviously before that we've probably hit some limit, probably a 150 thread pool size in apache, or 600 or 1000 depending on what you have it set to.  But the important thing is when the back-end server is down, the SPS is flooded with waiting requests, and we can't realistically (or meaningfully) hold open all of those requests for all of those retries. 

 

But this is not the problem we are solving - this is the background to the problem. 

 

2. The Problem - one bad back-end can stop all activity

 

 

 

Now, generally an Agent Gateway server has multiple back-end servers.   And if one back-end servers goes down then as we've seen that leaves a heavy footprint on the internal Ag infrastructure, blocking up all the pipes, and stopping acces to all back-end servers, not just the non-working server. 

 

3. Connection Pool Size  

 

Here is the pattern of connection/thread pool sizes that is best for throughput if the Agent Gateway has only one back-end server.  The design is that at each stage the next pipe bandwidth is slightly larger than the previous one.  With that model all incoming requests will be forwarded onto the next stage, and ultimately onto the back-end server, there will be no internal bottleneck within Ag.  

 

The reality is for Ag that in normal operating conditions the default connection pools are low, often only 5 or 10 or 20 active requests, depending on the type of transaction, and that the pool sizes & thread counts only go up to values of 100 or more when there are delay or problems with the back-end servers. 

 

4. The Solution 

 

 

If we have multiple back-end servers, and we know :

a) That normally the pools size is about 20 connections; and

b) That if the back-end connections go above 100 we know there is a problem with that back-end server.  

 

Then we can setup the back-end connection pool as above, where there are less connections to the back-end than there are httpd & tomcat worker threads. 

 

Normally if we have a connection pool of 100, and all 100 get used, then when the 101'st request come in for the same back-end, then the new request/thread would wait (forever) for a connection to become available.

 

But for our purposes, we know that since we already have 100 requests in progress, that we are in trouble, so what we will do is add a quick timeout, so this new request will timeout very quickly return an error to the client, and importantly it will return the httpd & tomcat worker threads back into the available pools. 

 

Here are the settings we change in server.conf : 

http_connection_pool_max_size="420"

http_connection_pool_wait_timeout="0"

 

 

And we change them to :  

http_connection_pool_max_size="100"  (max pool of 100)

http_connection_pool_wait_timeout="200" (timeout over 100 of 200ms)

 

So when we have one "bad" back-end server, it will have 100 threads waiting on a response or connection to the backend, But importantly only 100 worker threads.  The remaining ~150 httpd worker threads, and tomcat worker threads are still free to handle requests for "good" back-end servers.   And so the requests for the "good" servers are still processed as normal.  The 100 or so waiting threads are not using a lot of resources, as they will be mostly idle waiting for a response from the "bad" back-end server, so thoughput to the good servers does not seem to be affected much.  

 

 

 

5. The Video - Testing the Solution 

 

We also ran some sample test jmeter scripts using this technique, the results jmeter script & recorded video are in a second post, at the following link :  

 

TechTip: Testing Solution to Agent Gateway/SPS with one bad back-end 

 

Effectively, the results are that if we have the original, and most common configuration then as expected when one backend server goes down, the traffic to the other backend servers are affected as well.  Below the blue shows successful transactions, and the pink errors.  We can see that both servers are affected : 

 

However, with the settings are we suggest above, when one backend server goes down, traffic to the other backend server is essentially unaffected:  

 

6. Conclusion

Traffic and load are always different for different installations.  The best way to ensure your Agent Gateway is configured to both handle your normal traffic load & load under exceptional circumstances is by testing.  With the load testing It is best to also test to breaking point to understand where & how the system breaks.  And also how the system performs when components - such as the various back-end servers - fail. 

 

The above offers a way to handle the common situation where one back-end server goes down, we recommend that you test the setting in your own QA environment, both with normal conditions and its response with failed back-end servers before applying them to production.