Chat Transcript: Office Hours for CA Single Sign-On [JUNE 2016]

Document created by kristen.palazzolo Employee on Jun 17, 2016Last modified by kristen.palazzolo Employee on Dec 17, 2016
Version 3Show Document
  • View in full screen mode
June 16, 2016    11:01:01 AM    from Melanie Giuliani to Everyone:Hi Theo! You're the only one on right now, so we can get started! Do you have any questions?

 

 

June 16, 2016    11:03:14 AM    from Melanie Giuliani to Everyone:HI everyone - we're just getting started here. Please feel free to type any questions you have into this box!

 

 

June 16, 2016    11:04:41 AM    from Sam Dikeman to Everyone:Any more chatter about a potential EOL for 12.51?

 

 

June 16, 2016    11:07:00 AM    from Herb Mehlhorn to Everyone:@Sam ...no specific plans there yet.  Here is my thumbnail... anticipate an announcement to be made this year with an EOS date that is in early 2018....but this is just a thumbnail estimate at this tpoint,.

 

 

June 16, 2016    11:08:08 AM    from Melanie Giuliani to Everyone:Don't be shy! Feel free to ask any questions you have. Our experts are standing by!

 

 

June 16, 2016    11:08:47 AM    from Prakhar to Everyone:@Herb, regarding the Riskminder - Siteminder integration limitation, I still haven't heard any replies from your team on the behaviour, can you please get that looked into.. Case# 00414374

 

 

June 16, 2016    11:09:17 AM    from Herb Mehlhorn to Everyone:@prakhar...I had reviewed that case and i saw the response

 

 

June 16, 2016    11:09:29 AM    from Herb Mehlhorn to Everyone:@prakhar...have you looked recently.

 

 

June 16, 2016    11:10:09 AM    from Herb Mehlhorn to Everyone:@Prakhar,  I think the answer is ...if you set the resource that is protected by RBA to a different auth strength classification...it will do what you want.

 

 

June 16, 2016    11:11:08 AM    from Prakhar to Everyone:I believe the issue is misunderstood, After the integration of CA Siteminder SSO and Risk Authentication we found that if a user has a valid SMSESSION and then goes to a Realm/Application protected with Riskminder Custom Auth Scheme, their Risk is never evaluated.

 

 

June 16, 2016    11:12:01 AM    from Prakhar to Everyone:@Herb, there was no customer facing update, the last I heard was from your Support Engineer that he would raise a case with SE and share the video recording..

 

 

June 16, 2016    11:12:54 AM    from Herb Mehlhorn to Everyone:@prakhar...here is the lsat statment I see:

 

 

June 16, 2016    11:13:00 AM    from Herb Mehlhorn to Everyone:@prakhar:  Customer should configure the protection level of URL2 which should be greater than URL1 protection level (or) customer should engage our services team for this custom implementation.

 

 

June 16, 2016    11:13:48 AM    from Herb Mehlhorn to Everyone:@prakhar...if you configure the protection level to be higher on ULR2, then it shoudl accomplish what you wnat.

 

 

June 16, 2016    11:14:29 AM    from Herb Mehlhorn to Everyone:@prakhar....Ariharan Renganathan is the support engineer there and you can get him to walk you through this in more detail.

 

 

June 16, 2016    11:14:47 AM    from Prakhar to Everyone:@Herb, that would break SSO, we just want risk eval to be trigered

 

 

June 16, 2016    11:15:24 AM    from Sam Dikeman to Everyone:We have some monitoring tools in place for our SM environment.  One of them looks at the virtual memory used by the smpolicysrv process.  We know that now it is set too low (~2.7GB) but back years ago, that was a number we used because old versions of the product didn't behave well for us once we got over that number.  Would there be a recommended value that you feel would be a "Hey something might be amiss here" number that we shoudl use?  Or just pick a value less than the 32 bit limit knowing it will crash if it gets to that?

 

 

June 16, 2016    11:15:50 AM    from Sam Dikeman to Everyone:Sorry - using RH os

 

 

June 16, 2016    11:16:33 AM    from Sam Dikeman to Everyone:I know its kind of an open ended question but we have to start somewhere...

 

 

June 16, 2016    11:17:56 AM    from Herb Mehlhorn to Everyone:@prakhar,...to keep the single sign on experience of the end user between URL1 and URL2 would today require a customization.    THis is a good enhancement that we could add to the product, but today the user would be challended if they go from an application with lower protection level to an application with higher protection level requirement.  They would not be challened if going from higher to lower .

 

 

June 16, 2016    11:20:47 AM    from Stephen McQuiggan (CA) to Everyone:@sam - I would leave it the way it is, policy server can become unstable as the size gets closer to the limit.  We are working on a 64-bit version, you can get it through the validation program

 

 

June 16, 2016    11:20:51 AM    from uma ramachandran to Everyone:@prakhar what you are discussing about if i understand right...you authenticate through URL1 into one application and say click a link from withinn , get redirected to URL2 , you have to reauthenticate as URL has higher protection level

 

 

June 16, 2016    11:25:10 AM    from Sam Dikeman to Everyone:@Steve - well, now you're making me nervous.  Out of our 61 production policy servers, 27 are over 3GB...

 

 

June 16, 2016    11:25:31 AM    from Herb Mehlhorn to Everyone:@sam...more detail..the upcoming 12.6 release is a 64 bit policy server...that release is in cusotmer validation today.  You could go to validate.ca.com and register in the CA SSO program to download and test.

 

 

June 16, 2016    11:28:05 AM    from Theo Martin to Everyone:About the 12.6 release, we have installed CA directory for Policy Store and a Policy Server. We tried to import existing data into the policy store but it fails. Is there anything else to import prior importing the data (i.e schema)?

 

 

June 16, 2016    11:28:28 AM    from Sam Dikeman to Everyone:@Herb - thanks but I don't see any real appetite for being the bleeding edge where I am right now.  I don't mean to beat this to death but the 12.51 upgrade adventure is still fresh enough...

 

 

June 16, 2016    11:28:56 AM    from Prakhar to Everyone:@Herb, yes we do expect this to be added as part of a functionality in future releases as Auth Level is not a good way to handle sensitive applications when we already have sencondary auth mechanism in place ? Also there is no way to trigger Risk Eval once Siteminder session is already created and is valid..

 

 

June 16, 2016    11:32:14 AM    from Herb Mehlhorn to Everyone:@sam  understand the comment we continue to focus on this issue... we understand that there are differences that exist in all environments and we are working to make code available earlier to give it broader testing exposure.

 

 

June 16, 2016    11:32:31 AM    from Aaron Berman (CA) to Everyone:@sam, I understand what you went through in the upgrade, what i can say is that significant progress has been made in terms of quality, automated testing etc.  the comments we have gottne about the 12.6 validation have been very positive from the quality of a beta release from the people that have been working with it

 

 

June 16, 2016    11:33:39 AM    from Herb Mehlhorn to Everyone:@theo  ...I think this is something we need the team here to look at...did you open commentary about this in validation site?

 

 

June 16, 2016    11:34:20 AM    from Aaron Berman (CA) to Everyone:@theo  If the data fails on import, then it likely is due to some mislinked objects in the policy store.  We have seen this as people have upgraded to 12.51, 12.52 and now 12.6.  There is a tool that is part of 12.6 validation that allows you to look at the export for those  policy linkage errors and fix them  it is a switch on the xpsimport command

 

 

June 16, 2016    11:34:33 AM    from Stephen McQuiggan (CA) to Everyone:@theo - if you are getting error using Ca dir as a policy store I would suggest opening and issue and have a support eng assists - there is a set of proceedures to setup LDAP stores

 

 

June 16, 2016    11:35:38 AM    from Theo Martin to Everyone:Sounds good, thank you. I was also curious as to why "Ca directory" is not an option when configuring the Policy Server?

 

 

June 16, 2016    11:35:48 AM    from Herb Mehlhorn to Everyone:@prakhar...as long as the system believes the user's credential (session) is a validated session and is of the appropriate protection level...then the system does not rechallenge the user.

 

 

June 16, 2016    11:37:07 AM    from Stephen McQuiggan (CA) to Everyone:@theo - there is the validation repair tools in R12.52 SP2 - see link for further details   https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/administrating/policy-server-tools/xpssweeper

 

 

June 16, 2016    11:37:09 AM    from Herb Mehlhorn to Everyone:@prakhar...it is certainly concievable that this could be configurable, but today it is not.

 

 

June 16, 2016    11:38:20 AM    from Rob Lindberg (CA) to Everyone:@theo - as far as CA Directory in the configuration wizard, the current version doesn't allow us to do remote configuration, so it can't yet be automated in the wizard

 

 

June 16, 2016    11:39:34 AM    from Aaron Berman (CA) to Everyone:@theo you can also look at this tool (from the community site) to make the Ca directroy setup easier  https://communities.ca.com/thread/101014937

 

 

June 16, 2016    11:40:13 AM    from Theo Martin to Everyone:@Stephen @Aaron, thanks!

 

 

June 16, 2016    11:40:17 AM    from Timothy Rapley (CA) to Everyone:@theo A more comprehensive outline of the policy store repair process available in 12.52 SP2 and 12,6 validation is here: https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/upgrading/upgrading-an-r6-x-policy-store/diagnose-and-correct-integrity-errors-in-your-existing-r6-x-policy-store

 

 

June 16, 2016    11:41:13 AM    from Timothy Rapley (CA) to Everyone:@theo And for 12.x stores, here: https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/upgrading/upgrading-from-r12-x/diagnose-and-correct-integrity-errors-in-your-existing-policy-store

 

 

June 16, 2016    11:45:14 AM    from Melanie Giuliani to Everyone:Alright, this is the 15 minute warning! Please get your last-minute questions in now!

 

 

June 16, 2016    11:51:44 AM    from Sam Dikeman to Everyone:@Steve - should I be concerned that so many of our production memory footprints are over 3GB?  I know I can open a specific case, just looking for general recommendations...

 

 

June 16, 2016    11:54:20 AM    from Aaron Berman (CA) to Everyone:@sam - I would keep an eye on it.  we have seen some cases where high memory util is tied to policy server crashes, - it can point to hainvg to many threads, or a memory leak etc.   it could also mean you just have a large policy store with caches turned up as well.

 

 

June 16, 2016    11:54:39 AM    from Aaron Berman (CA) to Everyone:@sam but i woulnt immedialty panic unless you are seeing perodic rashing.

 

 

June 16, 2016    11:58:43 AM    from Melanie Giuliani to Everyone:@All - that's it for today's session! Thank you to everyone for joining! Keep an eye on the community for a copy of this transcript either later today or tomorrow!

Attachments

    Outcomes