Symantec Access Management

I have Windows 2008 R2 box with CA SSO Policy server  and Admin UI installed

Another box has CA Secure Proxy server

I am trying to configure CA Secure Proxy server to the policy server. Getting the below error, the agent is created in the policy server but proxy server complains. It accepted the Trusted host and Host configuration from the same box. Any thoughts?

Although the creation of proxy UI protection policy failed. I proceeded with configuration and it succeeded. I cannot login to the UI of Secure Proxy server. Any idea where can I look for logs? Trouble shooting? 

My host is in a workgroup. Does it need to be in a domain and provide the fully qualified name to access the UI?

The "defaultagentname" parameter specified in ACO  has to be exisiting one.

Either you haven't provides the agent name in ACO or it doesn't exist.

What is ACO?

I created an agent in policy server and provided its name. My logs show the below error

"2017-May-24 09:08:57,690 - ERROR - com.ca.sps.adminui.tunnelclient.TunnelConnector - Failed to get configuration from conf file
"2017-May-24 09:08:57,690 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigDAOHelper - ProxyException While fetching the Group Version Data using XPS Tunnel call Failed to get AgentAPI Configuration from conf file

ACO = Agent configuration object.

You should specify an existing ACO in WebAgent.conf file.

You should specify an existing defaultagentname in ACO.

Looking at the file my value for ACO is blank. Can I populate a value and provide that?

# WebAgent.conf - configuration file for SiteMinder Secure Proxy
# Secure Proxy Version = 12.52, Build = 499, Update = 1.0

LOCALE=en-US

HostConfigFile="C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf"
AgentConfigObject=
ServerPath="ServerPath_default"
EnableWebAgent="YES"
#localconfigfile="C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\LocalConfig.conf"
LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\HttpPlugin.dll"
LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\SPSPlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\SPPlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\DisambiguatePlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\OpenIDPlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\SessionLinkerPlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\OAuthPlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\SAMLDataPlugin.dll"
#LoadPlugin="C:\Program Files (x86)\CA\secure-proxy\agentframework\bin\CertSessionLinkerPlugin.dll"
AgentIdFile="C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\AgentId.dat"

Yes, you can.

How did you go with this one? 

I got through that error. But still cannot access the UI. 

My webagent.conf file has the ACO

In my Policy Server the ACO has a default agent name but when I try to save it.

It gives me the below error indicating that the ACO does not have a agent name.

Any idea what is going wrong

you need to remove pound (#) character. Having it will comment out/hide the parameter.

I removed the pound. 

Still cannot go past the error - 

Please open support ticket.

I have a support ticket 00755335 open for past 10 days. Not going anywhere. Wondering is it that tough?

I was able to get past the UI error. I had to re-configure the SPS. Not able to login to the UI.

I have added the AD as user directory. Is it mandatory that I configure it as external user store to be able to use those to login into my SPS?

smaccess log

AuthAttempt WIN-2NA0NU7RK7C [07/Jun/2017:09:16:03 -0800] "127.0.0.1 siteminder" "apache GET /proxyui/" [] [0] [] []
AuthAttempt WIN-2NA0NU7RK7C [07/Jun/2017:09:23:41 -0800] "127.0.0.1 Administrator" "apache GET /proxyui/" [] [0] [] []
AuthAttempt WIN-2NA0NU7RK7C [07/Jun/2017:09:23:51 -0800] "127.0.0.1 siteminder" "apache GET /proxyui/" [] [0] [] []
AuthAttempt WIN-2NA0NU7RK7C [07/Jun/2017:09:28:05 -0800] "127.0.0.1 Administrator" "apache GET /proxyui/" [] [0] [] []
AuthAttempt WIN-2NA0NU7RK7C [07/Jun/2017:09:30:08 -0800] "127.0.0.1 Administrator" "apache GET /proxyui/" [] [0] [] []4

SMPS log

[2504/4504][Wed Jun 07 2017 09:30:08][SmDsLdapConnMgr.cpp:1180][ERROR][sm-Ldap-02230] Error# '10' during search: 'error: Referral received' Search Query = 'objectclass=*'

I configured the User directory (Active Directory) as my external user store and now able to login to CA SSO as AD user. Still login in to SPS gives the below error.

smaccess

AdminLogin WIN-2NA0NU7RK7C [07/Jun/2017:10:28:54 -0800] "WIN-2NA0NU7RK7C/192.168.15.146 CA.XPS::Administrator@67d760ae-fc19-4741-ba69-8e4e0fc1d7e5"
AuthAttempt WIN-2NA0NU7RK7C [07/Jun/2017:10:30:04 -0800] "127.0.0.1 Administrator" "apache GET /proxyui/" [] [0] [] []

smps

[3720/1432][Wed Jun 07 2017 10:29:05][PolicyCache.cpp:1294][INFO][sm-Server-02880] Building policy cache ...
[3720/1432][Wed Jun 07 2017 10:29:05][PolicyCache.cpp:1387][INFO][sm-Server-02890] Building policy cache done
[3720/4948][Wed Jun 07 2017 10:30:04][SmAuthServer.cpp:332][INFO][sm-Server-02750] Loaded authentication scheme AUTHSCHEME-SPSADMINUI. Version 768 . SiteMinder(tm) HTML form authentication scheme
[3720/4948][Wed Jun 07 2017 10:30:04][SmAuthServer.cpp:361][INFO][sm-Server-02760] Initialized authentication scheme AUTHSCHEME-SPSADMINUI
[3720/4948][Wed Jun 07 2017 10:30:04][SmDsLdapConnMgr.cpp:1180][ERROR][sm-Ldap-02230] Error# '10' during search: 'error: Referral received' Search Query = 'objectclass=*'

Any thoughts?

After I do the SPS configuration with siteminder. Now if I create the external user store for siteminder. Do I have to re-do the configuration?

Hi,

you need to add the your server name inside server.conf file as well. 

it should look like this:

<VirtualHost name="default"> ...
hostnames="server name (from image win-2na0...)" ...
</VirtualHost>


then restart the proxy engine service.

I could get in to SPS UI. My AD configuration was faulty. I re-created a new AD user directory and login was successful. I have some permission issues navigating inside the SPS. I will open a new thread for that. Thanks!! This forum was very helpful to share and receive help.

I still keep getting the same error. I do not have a web agent for SSO configured. could that be an issue? Can I have a web agent configured on SPS or CA String Authenticator box? Wondering if I need a separate box?