Symantec Access Management

Hi,

I have changed password of the account which is used to connect to policy store. I have updated the credentials in smconsole and restarted the policy server. Webagent and policy server is working fine. But, while starting the WAMUI, SiteMinder environment is not getting started and I could see 'Invalid Credentials' error message in the logs.

If I revert the changes to old password, I am not getting any error while starting WAMUI.

1) Can someone please let me know if I need to update password in any other place as well? How WAMUI will know the policy store credentials? Where will it store these credentials?

2) If I add more than one policy server connection to the existing WAMUI, how handshake will happen between WAMUI and additional policy server as the file generated by XPSRegClient is getting removed automatically after the registration in WAMUI? I could see Trusted Host object and Admin object is getting created in Policy Store. But, in which file, shared secret details will be saved in the policy server side? Would be better if someone can explain this flow in detail.

Thanks.

Regards,

Dhilip

Dhilip,

The first question is strange, usually admin ui does not co-relate to policy store connection account.

Those account information is stored in registry file, not in policy store at all.

Maybe you have report server or audit server connection somehow shares same account?

Something was missing in the use case description. You can also search entire policy store export xml file for the account.

When XPSRegclient was called, Siteminder admin needs to complete the registration by going through admin ui, login with id/pass/ui_name, this removes temp record in policy server, and creates permanent record in policy store.

Every registered and working ui has trusted host record in store, like hostname__0 (Generated by XPSRegClient).

Same record was used for next login attempt.

Because it is trusted host, thus handshake will happen for each UI login respectively.

Hope this help.

Thanks,

Hongxu

Hi Dhilip,

I am pretty sure you are using the same user account that you used to connect to policy store to also connect to External Administrative store ?

If so, the credentials for this is also stored on the Admin UI side :

So, if the password for this account has changed, apart from updating the smconsole you will also need to update it on the Admin ui side. You can do so by running following steps:

Configure an External Administrator Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Update Directory Server Credentials

Update directory manager credentials with the smjndisetup utility.

Follow these steps:

1. Log in to the Administrative UI host system.
2. Navigate to administrative_ui_home\CA\siteminder\adminui\bin.
   administrative_ui_home specifies the Administrative UI installation path.

3. Run the following command:

   smjndisetup.bat --reset-password

4. Do one of the following tasks:
   • Type the new directory user and press Enter.
   • Press Enter to accept the default user name.
5. Type the new password and press Enter.
6. Type y and press Enter.
   The utility restarts the Administrative UI service. The utility also updates the new directory connection details.

Update Database Credentials

Use the smjdbcsetup utility to update database user credentials in the JNDI data source.

To update database credentials

1. Log in to the Administrative UI host system.
2. Navigate to administrative_ui_home\CA\siteminder\adminui\bin.
   administrative_ui_home specifies the Administrative UI installation path.

3. Run the following command:

   smjdbcsetup.bat --reset-password

   The utility prompts you to enter a unique identifier.

4. Enter the name of the deployed data source.

   Note: If you do not know the data source name, you can locate all deployed data sources in the standalone-full.xml file. This path to this file is administrative_ui_home\siteminder\adminui\standalone\configuration.

   administrative_ui_home specifies the Administrative UI installation path.
   The utility prompts you for the database user name.

5. Enter the user name and press Enter.
   The utility prompts you for the user password.
6. Enter the password and press Enter.
   The utility prompts you to verify the new data source credentials and verify that they can be updated.
7. Type y and press Enter to confirm the new data source credentials.
   The utility updates the data source. The utility prompts you to restart the Administrative UI service.
8. Type y and press Enter to use the utility to restart the Administrative UI service and deploy the updated data source. Alternatively, Type n and press Enter to start the Administrative UI service manually. 
   The data source is deployed when the service is started.

For your second part of the question , let's spin off a new thread as that is unrelated to the first question.

I will update shortly on that as well.

Regards,

Ujwol

Hi Ujwol,

Thanks for your response. As usual, you are absolutely correct.  We are using same account to connect to policy store and external Admin store. Issue has been resolved after executing smjndisetup.sh, have one query though.

Where this username and password details (to connect to external Admin store) will be stored as I could see that CADirectory xml file (which is in ../siteminder/directories/ folder) is not getting updated even after executing smjndisetup.sh script? 

Note : I have even tried changing the user (to connect to external Admin store) but still CADirectory xml file was not updated.

Regarding my second query, as per your suggestion, created a new thread.

CA SSO: How handshake will happen between WAMUI and Policy server? 

Thanks.

Regards,

Dhilip

Hi Dhilip,

The new password will be saved in adminui apache derby database in encrypted format.

Glad that worked for you. Please mark the answer as correct if the issue is resolved.

Regards,

Ujwol

Hi Ujwol,

Thanks for your response.

Regards,

Dhilip