Symantec Access Management

I was trying to set up CA Access Gateway but when pointing browser to url i am getting: "Server Error. The server was unable to process your request."

Nothing really helpful in logs, where should I start?

Except this:

"2017-Apr-16 20:39:03,469 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
"2017-Apr-16 20:39:03,471 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Hi,

Are you using the below URL to access the SPS Proxy UI?

http://fullyqualifiedhostname:Tomcat_port/proxyui/

Are you using Group Configuration Settings Configuration

https://docops.ca.com/ca-single-sign-on/12-6-01/en/using/ca-access-gateway-administrative-ui/group-configuration-settings-configuration

Regards,

Leo Joseph.

Indeed, I had FQDN broken. I can get to logon screen now.

I am rather not using group Group Configuration. Is this mandatory?
Which login details I should use, my siteminder admin ar that one from User Directory under Domain in Policy Server (I used example sql script)?

Hi,

Regarding your query please refer below thread:

Secure Proxy Server Administrative credentails ?  

Thanks,

Santosh

Hi,

By default SPS adminui will be protected when you complete SPS configuration successfully, Configuration wizard will create the SPS domain and protect the SPS adminui. 

If you are getting the login page then it will be protected by form auth scheme. You would need to create a user directory and add under SPS domain and add the users to the policy whom you want to give the access.

Thanks,

Sharan

Hi, so everything was there, I had Web Agent setup from before AG install so missed that there is almost everything needed by CA Access Gateway installer.

I am almost inside:

Server Error in '/proxyui' Application

Error Type

CA Access Gateway UI Protection Error

Error Message

There is no Agent Name configured with this host. Please configure the Agent Name in the Agent Configuration Object

The question is - could I set this up that it will we working when host  agent hosts gets different IPs (my setup lives for now in Virtual Machine)

I am thinking about something like:

AgentName2 = wa1.example.com, *.*.*.* in Agent Configuration object.

I believe that this may be due to the Agent Configuration Object (ACO) that you provide in the SPS conguration steps did not have the defaultagentname/Agentname parameter defined for the agent that you are trying to use with SPS.

Please add the corresponding agent under ACO.

Example: AgentName=WebAgent2,wa1.example.com
Example: AgentName=myagent1,192.168.0.0 (IPV4)
Example: AgentName=myagent2, 2001:DB8::/32 (IPV6)

Thanks,

Sharan

Hi,

Do I need to re-register trusted host after I amend Agent Configuration Object on Policy Server?

Hi,

No need to re-register the agent as you will be using same WebAgent.conf file for the virtual host.

Thanks,

Sharan

InfortunatelyI have:

Server Error. The server was unable to process your request

when I switch to:

AgentName= wa1,wa1.example.com
or

AgentName= wa1,192.168.0.0

The only thing that "works" is AgentName=wa1,127.0.0.1 bu then I have:

Server Error in '/proxyui' Application
Error Type

CA Access Gateway UI Protection Error
Error Message

There is no Agent Name configured with this host. Please configure the Agent Name in the Agent Configuration Object

Did you create wa1 agent? How many agents you created?

If you are using same agent for all the virtual host, you can use DefaultAgentName.

DefaultAgentName
Defines a name that the agent uses to process requests. The value for DefaultAgentName is used for requests on an IP address or interface when no agent name value exists in the AgentName parameter.

If you are using virtual servers, you can set up your CA SiteMinder® environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.

Important! If you do not specify a value for the DefaultAgentName parameter, then the value of the AgentName parameter requires every agent identity in its list. Otherwise, the Policy Server cannot tie policies to the agent.

For ex: DefaultAgentName=wa1

Thanks,

Sharan

no luck for today, how can I enable log and tracks to pin down this issue?

I would request to open support ticket to troubleshoot more this.

Please refer below KB to enable logs.

How to Enable SPS logs 

Thanks,

Sharan

And I am in :-), there is just big red ERROR:

You can ignore that exception

Thanks,

Sharan

So, thank you all for help. No moving to next steps. For now I was using classic Web Agent, and decided to move to Access Gateway. Lets say I had apache tomcat protected by apache httpd + Web Agent, and now I wont to move protection to  Access Gateway. The simple steps would be?:

1. on PS add new Agent Type as Web Agent or Servlet Agent?

2. crate virtual host on Access Gateway UI - and how to point it to my protected tomcat?

3. copy some default Agent Configuration Objects from ApacheDefaultSettings or from SPSDefaultSettings?

4. register trusted host for virtual host?

5. Configure Domain and Policy.

Please find the answers inline.

1. on PS add new Agent Type as Web Agent or Servlet Agent?

Sharan --> It is same as before (Web Agent). SPS will act as normal web agent.

2. crate virtual host on Access Gateway UI - and how to point it to my protected tomcat? 

Sharan --> You can create the virtual hosts and If you are using virtual servers, you can set up your CA SiteMinder® environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.

3. copy some default Agent Configuration Objects from ApacheDefaultSettings or from SPSDefaultSettings?

Sharan -->Please use copy of SPSDefaultSettings for ACO and modify accordingly 

4. register trusted host for virtual host?

Sharan --> No need to register virtual host, initial registration is enough. It is up to you how you want to design the configuration. If you want to use default agent (only one) for all the virtual hosts, you can use DefaultAgentName ACO as mentioned in question#2. If you want to have different agents for each virtual host, you can take the copy of WebAgent.conf and rename it to WegAgent1.conf and use it for the initialization. Also if you want to use new ACO and agent, you can update the new ACO details in WebAgent1.conf and new agent name in new ACO.

5. Configure Domain and Policy.

Sharan --> It is same as before, no changes with respect to SPS.

Thanks,

Sharan

Full Success at this step, Jumping to the clue of the story I will just start new thread about SAML.

Hi,

Please check below KB article

Document ID:  TEC1304259

How to resolve the "Error: Exception User might not have required permissions to get group information" when logging int… 

Thanks,

Siva

Hi, can I make smjdbcsetup to work with PostgreSQL?

   

Hi, 

Please check below link

Configure an External Administrator Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Thanks,

Siv