Symantec Access Management

  • 1.  Office Hours for CA SiteMinder on Thursday, August 21st @ 12 PM ET

    Posted Aug 14, 2014 01:39 PM

    Have a question about CA SiteMinder? Connect with CA Technologies technical experts to get answers via Office Hours for SiteMinder. Our team is here to help you get more out of your technology.


    Join us for one hour on Thursday, August 21st @ 12 PM ET.

     

    Some sample topics:
    • Your pain points
    • Product documentation
    • Questions on functionality

     

    Please DO NOT discuss support cases – You will need to open a ticket instead. Also, this is not a forum to discuss support of customizations.


    Click here: https://catechnologies.webex.com/catechnologies/j.php?ED=271543727&RG=1&UID=0&RT=MiMxMQ%3D%3D to register, add to calendar and join the day of.



  • 2.  Re: Office Hours for CA SiteMinder on Thursday, August 21st @ 12 PM ET

    Posted Aug 21, 2014 09:30 AM

    Don't forget to join us today @ 12PM EDT (9AM PDT, 5PM BST)!

     

    CA SiteMinder Office Hours - August 2014



  • 3.  Re: Office Hours for CA SiteMinder on Thursday, August 21st @ 12 PM ET

    Posted Aug 22, 2014 09:57 AM

    CA SiteMinder Office Hours Transcript (8/21/2014)

    Kristen Malzone (CA) to Everyone: Ok - let's get started!

    Kristen Malzone (CA) to Everyone: Feel free to submit a question in the chat window and our experts will answer it.

    Soma Yedubati to Everyone: @Manjari, We are upgrading the IBM HTTP Server from 7.0.0.0 to 8.5.5.2 and OS is zLinux on Mainframe H/W. As per the Support Matrix, the version IHS 8.5.x.x is not yet certified on any of the SiteMinder Versions 12.0, 12.5, 12.51, and 12.52. Do you have any plans to do a certification of IHS 8.5.5 version? Please advise us.

    Vijay Saggu to Everyone: HI All, I am seeing an error authreason=48 in the logs even though the user exists in the ldap...does anyone has an idea what would be the reason for SM to not find the user..

    Soma Yedubati to Everyone: @Vijay, are you getting any message like "inappropriate authentication " message along with error 48 in smps.log?

    Manjari Gangwar(CA Technologies) to Everyone: @Soma Product Management folks are on the webex and would be answering your certification question shortly.

    Vijay Saggu to Everyone: @Manjari , nope..just that the user DN could not be found in the smtrace..nothing in the smps

    Jacob Poye (CA) to Everyone: @vijay - The error 48 is generally returned when the auth type required, set on the directory, does not match the type being used by SiteMinder. Either that or the password is incorrect which usually returns a 49 or 48 depending on the platform

    Vijay Saggu to Everyone: @Jacob , sorry i did not mention earlier but this is a IDP based federated authentication scenario, and it is very random...

    Herb-CA to Everyone: @Soma...I took a look at our backlog.   There is a certification in the queue for IHS 8.5.5.x on Z Suse 11. RIght now looks like the team is working on getting the machine infrastructure to execute the testing

    Manjari Gangwar(CA Technologies) to Everyone: @Vijay with a detailed SMPS traces, we should be able to see the LDAP search going out to the LDAP to see around this Error. Would suggest you for a support ticket.

    Herb-CA to Everyone: @Soma...forgot to add that the certification looks like it is being targeted for testing with 12.51 CR3

    Jacob Poye (CA) to Everyone: @Vijay - it should not matter how the auth is being triggered (FCC, SAML, etc...), since the error is being returned by the directory server for the presented BIND attempt

    Manjari Gangwar(CA Technologies) to Everyone: @Vijay for Federation the authreasons may be set  by the federation part of the transaction and in the traces using federation trace template, we should be able to see the root-cause.

    Roger Myers to Everyone: Hello CA, is it possible to configure a user directory so that users authenticate using either one of two LDAP attributes:  uid and email?  If so, how can we do this?

    Vijay Saggu to Everyone: @manjari , sounds like a plan

    Manjari Gangwar(CA Technologies) to Everyone: @Vijay is the error at the SiteMinder SP (SAML auth-scheme) or at the SiteMinder IDP where it would be the auth-URL protection auth-scheme (which one are you using?)

    Vijay Saggu to Everyone: @manjari, Yes, on the SP side

    Soma Yedubati to Everyone: @Herb, Thanks for your update! is it possible for you to update my enchancement request raised sometime back? https://communities.ca.com/ideas/235713922

    Vijay Saggu to Everyone: @manjari, SAML 2.0 Auth scheme

    Aaron Berman (CA) to Everyone: @Roger There are several ways to do that.  I have seen some places define two seperate directories each with a different disambiguation attribute, then do identity mapping from one to the other... 

    from Aaron Berman (CA) to Everyone: @Roger  -- I have seen people use custom authentication schemes or SMWalker

    Herb-CA to Everyone: @soma...I will connect with owner inside CA to get that updated...

    ketan patelket to Everyone: Hello we are upgrading our siteminder WAM UI servers from 12.0 SP3 CR9 to 12.52 CR1 , in version 12 we made it run on ssl but after upgrade when we trying the same config itgives page cannot be displayed error. Some of the config files like server.xml where we comented the non-ssl stuff has changed in this new version . Any clue how to make this run as  I cannot find any specific detailed document on this ?

    Aaron Berman (CA) to Everyone: @Roger - and I have also seen people modify the "@" directives in the FCC Page itself... here you dont specifiy yhe attribute in the user lookup of the dir, but you say @USER=(|(uid=%user%)(mail=%user%)) in the FCC itself... note this technique will have impact on the SM_USER header variable

    Roger Myers to Everyone: @Aaron, thanks that information is useful!

    Matt Butalla to Everyone: @CA. I don't have a question per say, but since the meeting info invites us to bring up pain points I would like to express one. Our company uses SiteMinder and IdentityMinder to manage authentication for a couple of our sites. Currently we're skinning IM in an attempt to make account management functions (change password, reset password, forced password reset upon login, etc) have the same look and feel as our site, but it is still a terrible experience due to the simple fact skinning IM will never be as good as keeping users in our site. We attempted to use your APIs so that we could manage these functions from our site (Java app), but the APIs are very obscure and diffcult to work with. It would be nice to see one updated API that our app could use to handle account management within our app so that we are able to retain our user expereince. We've been disappointed with the current "API" and with the support provided for it.

    Aaron Berman (CA) to Everyone: @matt - are you referring to the TEWS API? 

    Matt Butalla to Everyone: @Aaron, yes I am. There was also a SM API that we discovered (smagentapi) that seemed very out of date and difficult to use.

    Roger Myers to Everyone: Hi CA, we've had problems trying to do an XPSExport of named expressions in all versions of Siteminder 12.x.  Is this a known problem?

    Jacob Poye (CA) to Everyone: @Roger - Can you be a little more specific on the nature of the error?

    Roger Myers to Everyone: @Jacob, sorry can't.  Some of my colleagues have reported it.  Was just wondering if you were aware of an issues in this regard?

    Aaron Berman (CA) to Everyone: @Matt... A couple of things here... this really has people gearded to SiteMinder, but i can take your comment and pass it along.. a couple of things I would suggest is to post this comment over on the communities site.  I know that there have been some talks about exposing a REST API for IM.

    Kristen Malzone (CA) to Everyone: @Matt We're also holding our first Office Hours for Identity Suite on September 3rd at 9AM EDT if you'd like to ask more questions specific to IM. https://communities.ca.com/events/1232 - I'd also encourage you to post about this in the community since it covers multiple products. https://communities.ca.com/community/ca-security

    Jacob Poye (CA) to Everyone: @Roger - No, I have not heard of anything specifically regarding active responses and xpsesport

    Roger Myers to Everyone: @Jacob, no not active responses, I meant "Named Expressions"

    Aaron Berman (CA) to Everyone: @matt i will also forward over your comment to the IM team.  As far as the SM agent inside of IM, that doesnt require any coding. For making general API calls to SiteMinder, we do have a REST API now to make querying SiteMinder easier

    ketan patelket to Everyone: CA - We have upgraded our policy server 12.0 sp3 cr9 to policy server12.52 cr1 but after upgrading the RSA agent doesn't work with the newly upgraded aceint 8.1 dll. It fails to pick up the dll completely . Support has no clue about it . Does anyone have anybody have any idea about this issue?

    Jacob Poye (CA) to Everyone: @Ketan - I have found cases where other customers follow the same instructions as past WamUI versions and have the 12.52 WamUI running over SSL. The only difference, it looks like you have to re-register the WAMUI with the Policy Server as a last step. If this is still not working for you, I would recommend opening a support case to diagnose specific issues.

    Matt Butalla to Everyone: @Aaron & Kristen, That's good to hear that there may be some imporvements in a SiteMinder REST API. Is is present in v12 (unsure if that is the latest)? I can certainly post something to the community regarding the APIs that we use, but hearing that you're making note of it and passing it along to the team to me sounds better. I would just suggest that in future developments that the dev team always considers that the UIs that SM provides are not always going to work, and that any and all actions that can be exposed via an API that can be used by an app will be benificial to your customers.

    Roger Myers to Everyone: @CA, we have a third-party system monitoring tool that we'd like to use to gather Siteminder monitoring (like OneView Monitor).  Is there any way of doing this without using SNMP?

    Aaron Berman (CA) to Everyone: @Matt - the SM REST API was included in SM 12.51

    Matt Butalla to Everyone: @Aaron, thank you.

    Aaron Berman (CA) to Everyone: @Matt - also we have begun re-selling a new interface for IM that is much more business centric.  it is a third party solution we are now re-selling... ask you CA account team for a demo.

    Challa Ramakanth (CA) to Everyone: @ketan, We will follow up on the support case for that one but RSA agent works fine in the new version even if it has the DLL version changed. The way it loads is exactly the same, the change might be where you put this DLL and how your VAR_ACE and USR_ACE point to.

    Matt Butalla to Everyone: @Aaron, I'll pass that information along.

    Aaron Berman (CA) to Everyone: @Roger - the best thing to do is to use the SiteMinder Event API to collect that data and then send it to a third party location.  i perfer this rather than log scraping.

    Matt Butalla to Everyone: @CA, I appreciate that this sort of engagement was provided to your users. To be honest it's a little tough to do this via WebEx, but I'm still glad to have this instant feedback.

    Aaron Berman (CA) to Everyone: @Roger - I also have a partner of ours IdentityLogix that plugs in this exact way that collects performance metrics, audit data, and even siteminder policy changes.

    Kristen Malzone (CA) to Everyone: @Matt We hear you and are looking at other options for live chat. For now, WebEx makes the most sense and is the most readibly available tool for us to use.

    ketan patelket to Everyone: the dl and the other required files are exactly at the same place which is windows system 32 and the variables VAR_ACE amd USR_ACE point to the correct path . Still the auth RSA auth scheme fails to load

    Roger Myers to Everyone: @Aaron, thanks.  I thought the Event API is only supported in the C programming language?

    Aaron Berman (CA) to Everyone: @Roger.. i believe that to be correct...

    Aaron Berman (CA) to Everyone: @Roger  what third party product are you using?   I just try to keep a list of what SM accounts are using

    Soma Yedubati to Everyone: @CA, As we reported a Policy Server crash issue reported with 12.51 CR3, 12.51 CR2, CR1 after we enabled the KeyStore is a different store than the Policy Store. But I heard that there will be a fix on this defect on 12.52 SP1. Do we have any NIN for 12.51 CR3 and what is the ETA ?

    Challa Ramakanth (CA) to Everyone: @ketan, understood. Search for this dll at other places and you would see this dll perhaps with SM and with the ACE agent or some other places. Then the PATH environment variable might be chosing one over the other to load. Just change the order and see if it works the other way. If more is needed, we can then work on this through the support ticket you have.

    Jeff Limpert to Everyone: I am unable to find the SiteMinder Advanced Password Services Guide. Can you send a link? Thanks in advance.

    Roger Myers to Everyone: @Aaron, we're using Xymon.

    Challa Ramakanth (CA) to Everyone: @Jeff, https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?policy-design.html

    Challa Ramakanth (CA) to Everyone: @Jeff, that's the link for the APS documentation which is now part of core SM

    Aaron Berman (CA) to Everyone: @soma if there was a nin that was going to be built for that problem we would have likely notified you in that specifc ticket.   I know that We are still planning an Aug 31 GA for 12.52 SP1.

    Challa Ramakanth (CA) to Everyone: @Jeff, sorry wrong link. Here is the correct one: https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?aps-guide.html

    Aaron Berman (CA) to Everyone: @Roger - havent seen a xymon integration before.  

    Roger Myers to Everyone: @Aaron, me neither.  But it's something we'd like to use.

    Jeff Limpert to Everyone:  thanks again.

    Kristen Malzone (CA) to Everyone: Alright - we're going to wrap up. Thanks for joining us! We'll post a transcript of today's office hours here: https://communities.ca.com/thread/241691911.

    ketan patelket to Everyone: @Jacob I think it s purely related to sssl as the WAM UI did come up on the non-ssl port but we get page cannot be dispalyed after configuring ssl certs. So I am sure there is some config issue and not a problem with registeration. Do we have any detailed procedure to do this on the 12.52 server?

    Kristen Malzone (CA) to Everyone: @ketan I think Jacob may have signed off or stepped away. I will send him your question and ask him to follow up.