Symantec Access Management

Expand all | Collapse all

SiteMinder 12.52 SP1 User Directory - View Contents

  • 1.  SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 07, 2014 02:29 PM
      |   view attached

    We installed SiteMinder 12.52 SP1 and configuring the policies through WAM UI. Unfortunately, the User Directory View Contents, it does not return any entry. There are no errors/connectivity related messages in the smps log. But there is messages in the smtracedefault log and it does not have much information.

     

    Trace Log Entry:

    [10/07/2014][13:57:08.572][13:57:08][27559][4036483952][SmEmsCommandBase.cpp:497][CSmEmsCommandBase::traceResponse][][][][][][][][][][][][531][][][][][][][<session=>

    <command=smlookup>

            <directory = DEV External>

            <searchpattern = mail=***.com>

    <status=E/0213/0/No session>

    ][][Processed EMS2 response.]

     

    Please refer the attached log for more details.can anyone suggest if we need to do any further configurations/settings.

     

    Thanks,

    Soma

    Attachment(s)

    zip
    smtrace log.txt.zip   860 B 1 version


  • 2.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 07, 2014 09:02 PM

    Hi Soma,

     

    The error "status=E/0213/0/No session" seems to indicate that there is no valid session with the LDAP directory "DEV External".

    Have you checked if the credential you have provided in the user directory defnition is working using any external ldap tools (e.g JExplorer ) ?


    I would suggest you to run following test to confirm the same :


    1. Under your Siteminder_home ,go to bin directory and run the below command:

      ldapsearch.exe -h <host_name> -p <port_name> -D <"admin_dn"> -w <admin_password> -b <"root_dn"> "objectclass=*"

     

      Example

      ldapsearch.exe -h 10.12.15.12 -p 389 -D "cn=admin,o=ostest,c=com" -w siteminder -b "o=ostest,c=com" "objectclass=*"

     

    This will help us confirm two things :

     

    • If you can bind using the credential provided
    • If the user specified , has the ability to perform search on the directory.


    2. If this still doesn't work, I would also advise you to get the matching acess/error log from your LDAP directory to check why the bind/search is failing.

     

    Hope this helps.

     

    Cheers,

    Ujwol

     





  • 3.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 08, 2014 09:32 AM

    Hi Ujwol,

     

    Thanks for your reply!

     

    We tried to search using the ./ldapsearch from bin directory and it is showing the values. Also, we have SSL certificates for establishing a connection to the LDAP server and they were been added to CDS store and also crerated a cert8.db which has been added into the SMConsole as well.

     

    Please let me know if we need to check something else in the configurations.

     

     

    ./ldapsearch -v -b o=external -h ldaps.dev.net -p 636 -Z -P "/opt/siteminder/softpkgs/nssdb" -W certdbpassword -D "cn=SiteMinderServiceUser,ou=accounts,o=servicesext" -w password -s sub "mail=xyz@abc.com"

    ldapsearch: started Wed Oct  8 09:12:12 2014

     

     

    ldap_init( ldaps.dev.net, 636 )

    filter pattern: mail=xyz@abc.com

    returning: ALL

    filter is: (mail=xyz@abc.com)

    version: 1

    dn: cn=B33N9JQJ,ou=ExtUsers15,o=External

    nycExtEmailValidationFlag: FALSE

    nycExtTOUVersion: 1.0

    mail: xyz@abc.com

    DirXML-Associations: cn=eDirToVault,cn=DEVXAdriversA,ou=driversets,o=servicese

    xt#1#{3AA5BEC5-55AC-fa46-D480-3AA5BEC555AC}

    givenName: test

    sn: accounts

    passwordUniqueRequired: FALSE

    passwordAllowChange: FALSE

    objectClass: inetOrgPerson

    objectClass: nycExtUserInfo

    objectClass: organizationalPerson

    objectClass: person

    objectClass: ndsLoginProperties

    objectClass: top

     

    CDS Certificates:

     

    36-CA.CDS::Certificate@000f3c3e-0326-1433-803b-91310a9b306d

                 (I) Alias  : "xxxnet-root-ca"

    37-CA.CDS::Certificate@00010c26-035e-1433-803b-91310a9b306d

                 (I) Alias  : "xxxnet-int-ca"

    38-CA.CDS::Certificate@00023aec-0394-1433-803b-91310a9b306d

                 (I) Alias  : "xxxnet-sign-ca"

     

    Thanks,

    Soma



  • 4.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 08, 2014 02:16 PM

    Hi Soma,

     

    As Ujwol suggested I would also advise you to get the edirectory trace logs with required trace parameters enabled. This might throw some light.

     

    Thanks,

    venkata



  • 5.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 08, 2014 03:28 PM

    Hi Venkat,

     

    We enabled debug logging into the WAM UI and also tried to access the User Directory. We noticed the following messages in the server.log and smps.log.

    Please note that this is not an upgrade. We are setting up a new SiteMinder 12.51 SP1 environment and not sure why are we getting that message "Failed to decrypt persistent key".

     

    Please advise us.

     

    Server.log:

     

     

     

      2014-10-08 14:24:22,541 DEBUG [ims.securityprovider] (http-0.0.0.0-8888-6) canAdminExecuteTaskOnObjectsEx: object [External-Dev] is OK.

      2014-10-08 14:24:22,567 DEBUG [ims.securityprovider] (http-0.0.0.0-8888-6) canAdminExecuteTaskOnObjectsEx: object [External-Dev] is OK.

      2014-10-08 14:24:22,576 DEBUG [ims.securityprovider] (http-0.0.0.0-8888-6) canAdminExecuteTaskOnObjectsEx: object [External-Dev] is OK.

      2014-10-08 14:24:24,725 DEBUG [ims.tmt.TaskSessionImpl] (http-0.0.0.0-8888-1) Generating an ViewEvent for task ${bundle=com.ca.siteminder.webadmin.task.LocalStrings:key=task.displayName.SMUSERDIRECTORY.ViewUserDirectory} on subject [External-Dev] CA.SM::UserDirectory@0e-00076266-5fad-1434-9b78-91310a9b30dd

      2014-10-08 14:24:25,407 DEBUG [com.ca.siteminder.webadmin.extendedattr.DirCapabilitiesExtendedAttribute] (http-0.0.0.0-8888-1) Error getting capabilities, skipping 'External-Dev' due to 'No session'

      2014-10-08 14:26:37,017 DEBUG [ims.securityprovider] (http-0.0.0.0-8888-1) canAdminExecuteTaskOnObjectsEx: object [External-Dev] is OK.

      2014-10-08 14:26:37,026 DEBUG [ims.securityprovider] (http-0.0.0.0-8888-1) canAdminExecuteTaskOnObjectsEx: object [External-Dev] is OK.

      2014-10-08 14:26:37,041 DEBUG [ims.securityprovider] (http-0.0.0.0-8888-1) canAdminExecuteTaskOnObjectsEx: object [External-Dev] is OK.

      2014-10-08 14:26:39,134 DEBUG [ims.tmt.TaskSessionImpl] (http-0.0.0.0-8888-1) Generating an ViewEvent for task ${bundle=com.ca.siteminder.webadmin.task.LocalStrings:key=task.displayName.SMUSERDIRECTORY.ViewUserDirectory} on subject [External-Dev] CA.SM::UserDirectory@0e-00076266-5fad-1434-9b78-91310a9b30dd

      2014-10-08 14:26:39,264 DEBUG [com.ca.siteminder.webadmin.extendedattr.DirCapabilitiesExtendedAttribute] (http-0.0.0.0-8888-1) Error getting capabilities, skipping 'External-Dev' due to 'No session'

     

    SMPS.log:

     

    [2497/3984042864][Wed Oct 08 2014 14:14:39][SmObjKeyManagement.cpp:459][ERROR][sm-Server-03080] Failed to decrypt persistent key

    [2497/4026002288][Wed Oct 08 2014 14:24:25][SmObjKeyManagement.cpp:459][ERROR][sm-Server-03080] Failed to decrypt persistent key

    [2497/3973553008][Wed Oct 08 2014 14:34:10][CServer.cpp:1726][INFO][sm-Server-01760] Closing Idle connection for session # 23

    [2497/3973553008][Wed Oct 08 2014 14:39:10][CServer.cpp:1726][INFO][sm-Server-01760] Closing Idle connection for session # 24

    [2497/3973553008][Wed Oct 08 2014 14:39:10][CServer.cpp:1726][INFO][sm-Server-01760] Closing Idle connection for session # 22

    [2497/4015512432][Wed Oct 08 2014 15:09:46][SmObjKeyManagement.cpp:459][ERROR][sm-Server-03080] Failed to decrypt persistent key

     

    Thanks,

    Soma



  • 6.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 08, 2014 09:54 PM

    Hi Soma,

    Please check following if it helps to address the "Failed to decrypt persistent key"

     

    https://communities.ca.com/message/98942983

     

    Regards,

    Kar Meng



  • 7.  Re: SiteMinder 12.52 SP1 User Directory - View Contents
    Best Answer

    Posted Oct 09, 2014 10:33 AM

    Hi all,

     

    Thanks a lot for all your help!

    The issue has been fixed now. We added the value in the registry and then re-cycled the Policy Server and JBoss Application Server. I can able to View the Contents in the User Directory.

    Steps:

    1. Stopped the Policy Server and OneView Monitor Services

     

    2. Registry file backed up.

       FileName: sm.registry

       Path: /opt/siteminder/registry

     

    3. Added the following value in the ObjecStore section in the registry.

          Object Store section will be like below.

           HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=97907558

     

           New line added with the below Value:

            AllowEmptyEncKey=                        1;  REG_DWORD

    4. Started the Policy Server and OneView Montior. Make sure that no errors in the smps.log.

    5. Restarted the WAM UI Services (Jboss).

    6. Tested the WAM UI access and navigate to the "Shared Secret Rollover". Please make sure that it is showing up without any errors.

         Tasks ---------> Administration ---------> Policy Server ---------> Shared Secret Rollover

    7. Finally tested the "User Directory" View Contents and it is successfully connected to LDAP via SSL and displays the contents of the users in the User Store.

        SMPS log entry: [31891/4047162224][Thu Oct 09 2014 10:10:10][SmLdapPs.cpp:224][INFO][sm-Ldap-02150] (Bind - SSL Client init) Succeeded.

     

    Thanks Again!

     

    Regards,

    Soma



  • 8.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 09, 2014 10:37 AM

    I forgot to mention the environment details. They might be helpful in future for any reference based upon the environment.

     

    Environment details:

    OS: Linux  2.6.32-431.23.3.el6.x86_64

    Policy Server: 12.52 SP1 (New Installation)

    AdminUI: 12.52 SP1 (New Installation)

    User Store: Novell Directory Server

    Policy Store: Oracle 11g R2.

     

    Thanks,

    Soma



  • 9.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 09, 2014 06:27 PM

    Hi Soma,

     

    I am glad that setting the AllowEmptyEncKey=1 registry worked for you, however,  I will not recommend to leave it like that especially in your production environment.

    You should have this configuration ONLY if you can’t reset to the session ticket /Persistent Key. There are security issues by using no value for the session ticket key.

     

    What would be a reason not to reset:

     

    • Resetting the session ticket forces all currently users to re-login
    • Customer uses basic password services will lose password history and policy data

     

    Recommended solution :

     

    1. Once you have set the AllowEmptyEncKey=1 registery key , you should be able to go to the "Key Management" tab in Admin UI.
    2. While in Key Management --> Session Key Management --> Click Rollover Now to reset the session ticket key. You can choose to use a random key or custom choosen value.
    3. Once the Session Ticket Key is reset, change the registry  AllowEmptyEncKey back to 0
    4. Restart Policy server and test.



    Hope this helps.

    Cheers,

    Ujwol



  • 10.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 15, 2014 11:30 AM

    Hi Ujwol,

     

    Thanks for your update!

     

    I am just checking in the WAM UI console, there is no Key Management section in the Administration. We see only "Shared Secret Rollover".

    SiteMinder 12.52 SP1 WAM UI is the version.

     

    Please find the attached screen shot and advise us.

     

    Regards,AdminUI.PNG

    Soma



  • 11.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 15, 2014 06:02 PM

    Hi Soma,

     

    Please refer to this discussion :

     

    Key Management tab not displayed in Administrative UI

     

    Regards,

    Ujwol



  • 12.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 20, 2014 05:26 PM

    Hi Ujol,

     

    We set back the AllowEmptyEncKey=0 and restarted the Policy Server. We are able to view contents without any issues.

     

    Thanks for your support!

     

    Regards,

    Soma



  • 13.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 04, 2016 07:51 AM

    HI Ujwol,

     

    We have followed the above mentioned resolution steps still getting the below error:

     

    [CServer.cpp:2121][ERROR][sm-Server-01070] Failed handshake with ********
    ][SmObjKeyManagement.cpp:459][ERROR][sm-Server-03080] Failed to decrypt persistent key
    ][XPSRegService.cpp:544][Error][ERROR][sm-xpsxps-07270] No registration on file.

     

    Could you please suggest on the same.

     

    Regards,

    S Pv



  • 14.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 04, 2016 12:12 PM

    Hi Sreenath,


    I guess you mean you have applied following registry :

    AllowEmptyEncKey=1


    But based on the error, it seems you still seems to have unreadable persistent key in the key store.


    Please delete the exisiting persistent key using external ldap browser/odbc tool.


    But before doing this , can you explain how did you end up getting this error? Are you doing policy server upgrade/migration? Has the policy server encryption key (EncryptionKey.txt) changed or have you imported Peristent Key from another environment?



  • 15.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 04, 2016 12:17 PM

    Also look at this which basically calrifies the point I am making here :

    https://communities.ca.com/thread/98942664



  • 16.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 05, 2016 02:32 AM

    Hi Ujwol,

     

    Thanks for your reply.

     

    Currently I am following the below steps again:

    1. Shut down Administrative UI JBOSS application server
    2. Delete the "data, log, tmp & work" folder under "<adminui dir>\server\default\" directory
    3. XPSExplorer: remove the trusted host created by XPSRegClient
    4. XPSSecurity: remove the WAM UI Admin Directory
    5. Run XPSRegClient command on the Policy Server

            e.g. XPSRegClient siteminder:<password> -adminui-setup -vT

    1. Start Administrative UI service/ Jboss application server
    2. Access the Administrative UI webpage to complete the registration (e.g.:

    http://<fqdn>:8080/iam/siteminder/adminui)

    Will update you once it is completed.

     

    One more doubt : When I am running XPSExplorer , it is taking almost 20 hour to show the menu and even the policy server is taking 20 hour to come up. Could you please suggest on this as well.

     

    Regards,

    Sree



  • 17.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 05, 2016 04:11 AM

    Hi Sree,


    Do you mind creating a new thread for your issue?

    Let us put this old thread to rest :)


    Cheers,

    Ujwol



  • 18.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 05, 2016 06:26 AM

    Sure Ujwol

     

    Regards,

    Sree



  • 19.  Re: SiteMinder 12.52 SP1 User Directory - View Contents

    Posted Oct 05, 2016 06:43 AM