Symantec Access Management

Tech Tip : CA Single Sign-On : When running smreghost tool the SmHost.conf file is created differently depending on ports used 

Aug 01, 2018 11:31 AM

Question:

 

We have installed our Policy Server using custom ports (TCP 55551-55554) instead of the default ones due to some network restrictions. When we register a Web Agent using smreghost tool, we see the SmHost.conf is created correctly, the Agent works fine, and in the contents of the file we see the policyserver parameter being set with the same port repeated:

  policyserver="MyPolicyServer,55553,55553,55553"

In another environment, we are using the default ports (TCP 44441-44444), and when we do the same procedure we see the ports are stored differently in the SmHost.conf file:

  policyserver="MyOtherPolicyServer,44441,44442,44443"

The Web Agents are working fine but, could this have any repercussion afterwards? It affects the way it communicates with the Policy Server? Why is this happening?

 

Environment:

 

Policy Server : R12.52 SP1
Web Agent : R12.52 SP1
 

Answer:

 

This difference is due to backwards compatibility. Old Policy Server versions used these three ports for each service (44442 for Authentication, 44443 for Authorization, and 44441 for Accounting), however from R6.x version the Agents use the same port (by default 44443) for the three services, and therefore only this one is actually needed for the Agent to connect to the Policy Server. Actually, you can define different ports on the Policy Server only for backwards compatibility.

When you run the smreghost tool on a current version, you can only specify one port, like: <Policy_Server_IP>:<TCP_Port>, and the port is optional, so only to be used if you use a custom port.

 

Usage:
    smreghost -i ipAddress[:port] -u username [-p password] -hn hostname -hc hostconfigobject
   -i  <IPv4 address or IPv6 address enclosed in square brackets as in [IPv6 address][:port]>
  -hn  <Name for host to be registered>
  -hc  <Name of host configuration object>
[ -sh  <Shared secret for the host> ]
[-rs]  (enable shared secret rollover for host)
[  -u  <Administrator username> ]
[  -p  <Administrator password> ]
[  -f  <File to store registration data in (defaults to ./SmHost.conf)> ]
[ -cf  <Crypto FIPS140 mode (COMPAT or MIGRATE or ONLY)>
[ -cp  <Name of crypto provider (ETPKI)> ]
[  -o  <Overwrite existing Trusted Host> ]

 

So, if you want to enable R4/5.x backwards compatibility when using a custom port on the Policy Server, you need to modify afterwards the SmHost.conf manually to reflect this and configure the three different ports, after registering the Agent with one port. If not, it is not needed because as mentioned, R6.x and higher only use one port instead.

If you are using the default ports, no ports needs to be specified when registering the Agent, and the SmHost.conf will be created using the three ports.

 

KD : kb000016195

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.