Symantec Access Management

Hi Experts, 

We are facing an issue in the new environment where we have installed and configured the Siteminder – Advanced Auth Adapter.

The issue is with the Authentication Scheme and it is not loaded. Due to this there are 500 Error reported when we post the credentials to Shim FCC file.

Setup:

• Arcot adaptor is installed and configured in policy server.
• Required library is placed in policy server LIB location.
• Custom Authentication scheme is created as like below .. It has the AFM profile name and the exact path where the adaptor is installed. Please note we have the adaptor installed on different place and adaptershim.ini is NOT loaded from default ARCOT_HOME </opt/ca/aas>. For debugging, I have set the ARCOT_HOME to adaptorpath config location and tried.. Also, placed the adaptorshim.ini into ARCOT_HOME/conf location but no luck.. 
• Similar  setup is working in lower environment but not in this env. Any idea what else can be checked to debug this issue?

Can you help if there are any extra debugging logging can be enabled? 

Below are the logs from Siteminder policy server trace which indicated that the Authentntication Scheme is not loaded.

[][20989][24][10/24/2017][07:14:27][07:14:27.402][][][][LogMessage:ERROR:[sm-Server-02940] Failed to query authentication scheme 'AAAuthScheme_AFM'][][][][][SmAuthServer.cpp:336][][][][][][][]

[s672/r21][20989][93][10/24/2017][07:14:27][07:14:27.403][wa_bwt10427035_helpdesk][][][** Status: Protected. ][][][][CSm_Az_Message::ProcessMessage][Sm_Az_Message.cpp:595][][][][][][][]

[s682/r10][20989][22][10/24/2017][07:14:27][07:14:27.403][wa_bwt10427035_helpdesk][][][** Status: Protected. ][][][][CSm_Az_Message::ProcessMessage][Sm_Az_Message.cpp:595][][][][][][][]

[s244/r11][20989][24][10/24/2017][07:14:27][07:14:27.404][wa_aps07349a001_gotham-btcompns][][][** Status: Error. Reject s244/r11 : internal error - failed to obtain scheme credentials for scheme 'AAAuthScheme_AFM'][][][][CSm_Az_Message::ProcessMessage][Sm_Az_Message.cpp:595][][][][][][][]

[][20989][71][10/24/2017][07:14:27][07:14:27.404][][][][Look up a cached object.][][][][CSmObjCache::Lookup][SmObjCache.cpp:773][][][][][][][]

[][20989][22][10/24/2017][07:14:27][07:14:27.405][][][][Leave function CSm_Az_Message::IsProtected][][][Protected][CSm_Az_Message::IsProtected][IsProtected.cpp:286][][][][][][][]

[][20989][93][10/24/2017][07:14:27][07:14:27.403][][][][Leave function CSm_Az_Message::IsProtected][][][Protected][CSm_Az_Message::IsProtected][IsProtected.cpp:286][][][][][][][]

[s155/r20][20989][86][10/24/2017][07:14:27][07:14:27.403][wa_cns006a022][][611517959][Send response attribute 153, data size is 4][][Y..C][][CSm_Auth_Message::FormatAttribute][Sm_Auth_Message.cpp:5130][][][][][][][]

[s244/r11][20989][24][10/24/2017][07:14:27][07:14:27.405][][][][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][][][][CSm_Az_Message::IsProtected][IsProtected.cpp:234][Reject s244/r11 : internal error - failed to obtain scheme credentials for scheme 'AAAuthScheme_AFM'][][][][][][]

Did you check  below thread.

Custom Auth Scheme error - CA Advanced Auth config with CA SSO 

Thanks,

Sharan

Hi,  ARCOT_HOME </opt/ca/aas> is not the arcot home. This is path for using session assurance that comes out of the box with siteminder and not with arcot adapter.

In the authentication scheme, you have to give the path of  arcot home of the adapter where you have installed the adapter and that should have adaptershim.ini file. Once you have done this restart your policy server.

Also make sure that you environment variable is set to actual adapter installation and not to "/opt/ca/aas"

If this does not help then check whether the case of profile name is same in authentication scheme and the adaptershim.ini

Here the arcot library is loading fine but the authentication scheme is misconfigured.

Thanks

Awijit

Please also check if the policy server /lib folder has libArcotSiteminderAdapter.so file.