Symantec Access Management

Could someone please help me with this urgently, we got pentesters testing the siteminder environment which has led to this situation where the siteminder super user has lost all rights and has only permisions to mange password policies. We go no other admin user .How do we restore the siteminder user rights in quickest possible way!! tried smreg but it complains cannot find entry point to smutilities.dll!! any quick help to restore will be appreciated

Hi,

    The first thing I can think of if you are using siteminder user for the administrator then you should reset its password and register the adminui with policy server.

To register the adminui stop the policy server, stop the adminui, take the backup of data folder and delete it, restart all the services, run XPSRegclient command, and register the adminui with policy server.

It is not an issue with login , the password is fine it is the siteminder adminstration rights which are not available.cannot change or view anything apart from password policies in the FSS UI as well as the WAM UI . We have R12.52 installed.

Try using XPSSecurity and modify the SiteMinder Admin privileges OR Create a new Admin

Please remember to use XPSSecurity tool from the same version as Policy Server.

Thanks Guys,

But in the mean time we copied the smreg tool again , edited the exisiting siteminder name to xyz . run the smreg -su command and the user was created !!!

I don't think you can modify rights of legacy super user with XPSSecurity..??

Wasn't sure Ujwol.

Hence I tried out to see if a Legacy super user is visible via XPSSecurity and is allowed for modification. The option is available for modifying, however it is still unclear to me to what extent it would be helpful in this scenario. Worth a try, but at the end I just quit as I did not want to mess around

Nevertheless the issue is resolved.

[XPSSecurity - XPS Version 12.51.0001.972]

Log output: XPSSecurity.2014-11-11_142520.log

(WARN) : [sm-xpsxps-03500] CA.SPS: No product library.

MAIN MENU*******************************************************************

   A                   ::= Administrators

   S                   ::= Security Categories

   C                   ::= Classes

   W                   ::= Workspaces

   B                   ::= Begin Transaction

   P                   ::= Synchronize with Policy Server (if running)

   Q                   ::= Quit

-------------------------------------------------------------------

Enter Option (A,S,C,W,B,P or Q): A

ADMINISTRATORS MENU*********************************************************

1 - siteminder [SuperUser] [Legacy]

SM://00072aab-356d-1461-b56d-f0468a2ad0cb/siteminder

2 - SiteMinder Administrative UI Directory User

SM-ADMIN-DIRECTORY

Used by the UI for authenticating administrators

3 - SMWAMUI:tgvesx2vm2001.ca.com__0 [Legacy]

SM://00072aab-356d-1461-b56d-f0468a2ad0cb/SMWAMUI:tgvesx2vm2001.ca.com__0

-------------------------------------------------------------------

   N                   ::= New Administrator

   A                   ::= View Administrator Attributes

   Q                   ::= Quit

-------------------------------------------------------------------

Enter Option (#NA or Q): 1

ADMINISTRATOR MENU********************************************************#0

----------------------------- Metadata ----------------------------

         XID: CA.XPS::Administrator@0004908c-356a-1461-b56a-f0468a2ad0cb(0)

In Cache? no

(1)

-------- Attributes from CA.XPS::Administrator (Base Class) -------

01: MethodsAllowed                  393215(0x5ffff): LocalAPI,RemoteAPI,AdminUI,XPSDDInstall,XPSDictionary,XPSConfig,XPSExplorer,XPSSecurity,XPSRegClient,XPSExport,XPSImport,Audit,Eval,Reports,License,Counter,Sweeper,LegacyAPI

02: Workspaces

03: Flags                           6(0x6): Legacy,SuperUser

04: Name                            "siteminder"

05: Description

06: UserPath                        "SM://00072aab-356d-1461-b56d-f0468a2ad0cb/siteminder"

-------------------------------------------------------------------

   B  - Blank out an Attribute

   G  - Generate GUID

   V  - Validate

   U  - Update

   R  - List Rights

   A  - List 6 Attributes

   Q  - Quit

-------------------------------------------------------------------

Enter Option (# or BGVURAQ): 03

-------------------------------------------------------------------

Attr:  Flags [CA.XPS::Administrator.Flags]

Description         Flags used to control processing

Type:               Number

Handling:           Bit Flags (enter '?' for setting interactively)

Character Case:     Mixed

New Value (? for interactive, blank to quit):?

-------------------------------------------------------------------

Attr:  Flags [CA.XPS::Administrator.Flags]

Desc:"Flags used to control processing"

Type: Number {1}

------------------------------- Bits ------------------------------

1 - Disabled                                          = 0x00000001

         This administrator is disabled

2 X Legacy                                            = 0x00000002

         This is a legacy administrator

3 X SuperUser                                         = 0x00000004

         This administrator is a super user

-------------------------------------------------------------------

Enter Option (#, A for All, N for None, or Q to Quit): ^C

Thank You,

Glad you were able to resolve the issue.

Just a note for all, Please do remember we should always use tools from the same version of Policy Server. Even though smreg looks small, however there may be version specific changes embedded. Never use utilities across different version.