Symantec Access Management

Expand all | Collapse all

Legacy super user login issue with the Administrative UI

  • 1.  Legacy super user login issue with the Administrative UI

    Posted Nov 06, 2014 08:09 PM

    Hi All,

     

    I am creating this case on behalf of our community member SatishSharma

    as this discussion has been going on for quite some time in multiple threads..

     

    The configuration is :

     

    AdminUI 1 --> PS 1 -- Policy Store A

    AdminUI 2 --> PS 2 -- Policy Store A

     

    and you want to be able to use the legacy siteminder super user - "siteminder" to be able to login to both Admin UI and manage SiteMinder object.

     

    Problem : He seems to be able to login to the AdminUI only if he changes the super user password from that Policy server...and not able to login to others Admin UI

     

    To clarify,

    If the super user password is changed from PS1..he is able to login to AdminUI 1 but not in Admin UI 2 , and

    If the super user password is changed from PS2..he is able to login to AdminUI 2 but not in Admin UI 1



  • 2.  Re: Legacy super user login issue with the Administrative UI

    Posted Nov 06, 2014 08:19 PM

    The current suggestion is that you need to ensure that both the policy server is using the same encryption key.

     

    Next Action:

    ==================

    1. Copy the encryption key across from PS1 (working) to PS2 (non working)

    2. Backup your PS2 sm.registry file ( just in case something goes wrong)..It will be located at <INSTALL_HOME>/CA/siteminder/registry

    3. Open PS2 SmConsole and retype all the sensitive information i.e. passwords and save the configuration

    4. From the PS2 SmConsole , verify that the connection to all the stores ( policy store, key store, audit store etc) are all working by performing a "Test" connection.

    5. Restart PS2 policy server & Admin UI 2 and ensure that there is not any startup errors.

    6. Try loggin in to Admin UI 2 using super user credential.


    Hope this helps.


    Cheers,

    Ujwol



     



  • 3.  Re: Legacy super user login issue with the Administrative UI

    Posted Nov 07, 2014 09:29 AM

    Hi Ujwol,

     

     

    Thanks for posting my message into CA communities. Appreciate your support.

    I have tried to follow the steps as you mentioned.

     

     

    1. Copy the encryption key across from PS1 (working) to PS2 (non working)

    Done.

     

     

    2. Backup your PS2 sm.registry file ( just in case something goes wrong)..It will be located at <INSTALL_HOME>/CA/siteminder/registry

    I could not find any registry file at the location specified above. I am using R12.51 version. So could not perform this backup step.

     

     

    3. Open PS2 SmConsole and retype all the sensitive information i.e. passwords and save the configuration

    I tried this step. It fails to connect to policy store, keystore and audit store SQL DB. Even though I am using correct passwords.

     

     

    4. From the PS2 SmConsole , verify that the connection to all the stores ( policy store, key store, audit store etc) are all working by performing a "Test" connection.

    Everything fails.

     

     

    5. Restart PS2 policy server & Admin UI 2 and ensure that there is not any startup errors.

    since step 4 fails. its not required.

    6. Try loggin in to Admin UI 2 using super user credential.

    step 4 failed.

     

     

    Please let me know if you have any clarifications.

     

    Thanks,

    Satish



  • 4.  Re: Legacy super user login issue with the Administrative UI

    Posted Nov 07, 2014 09:55 AM

    Hi Karmeng Ujwol

     

    Thanks for using your time in posting on my thread. My answers to your suggestions are below.

     

    1. You have verified everything is working in the PS1 environment (ie: connection to all store success, can login to AdminUI1 but failed to login to AdminUI2)

    Yes correct.

     

    2. Then you copy EncyptionKey.txt from PS1 (working environment) to PS2 (non-working environment)

    Yes correct.

     

    3. All store connection return failure from both PS1 and PS2 smconsole. PS1 and PS2 cannot startup.

    PS1 is working all the time because we have not changed anything there. That policy server is up and running in UAT.

    PS2 doesn't work after chaning the EncyptionKey.txt of PS1.

     

    If that's the case, that's not something I expected. As mentioned before try run xpsexport -xb -npass from both environment and check what is the admin password. Sample of the output on administrator:

     

    I tried to execute above command on both policy servers and compared the password attribute. It is showing different password on both servers on both servers.

     

    Below is the output of the command on both servers.

     

    Working server

     

     

    <Object class="CA.SM::Admin" Xid="CA.SM::Admin@12-6f9a4554-5570-4fe7-a8e0-995d6310f403" CreatedDateTime="2014-09-16T21:41:58" ModifiedDateTime="2014-09-16T21:41:58" UpdatedBy="SMSTUB" UpdateMethod="Internal" ExportType="Replace">

                <Property Name="CA.SM::Admin.DirectoryAuth">

                    <BooleanValue>false</BooleanValue>

                </Property>

                <Property Name="CA.SM::Admin.Rights">

                    <NumberValue>47</NumberValue>

                </Property>

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>AVegtZU6g9IYLMWlh</StringValue> (That's the password which I have been trying to set for both Policy servers)

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>siteminder</StringValue>

                </Property>

     

    <Object class="CA.SM::Admin" Xid="CA.SM::Admin@12-a429f5f3-8acf-47ee-a502-7cbc3f15be4c" CreatedDateTime="2014-10-24T23:42:31" ModifiedDateTime="2014-10-24T23:42:32" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">

                <Property Name="CA.SM::Admin.DirectoryAuth">

                    <BooleanValue>false</BooleanValue>

                </Property>

                <Property Name="CA.SM::Admin.Rights">

                    <NumberValue>15</NumberValue>

                </Property>

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>!~X&gt;]?e88;&lt;XUzw7zk,#h]6%LGe2},}/b4orEfZNWLgz&amp;t3uE33Ut;c&amp;39\2&gt;eC^&gt;9n:!&amp;.Hi]iw4D4pTJV2.s;\nYy-Sj,5_[(c!ZrN9;mEJ8D|}T@67D(CfN,&gt;CtHN</StringValue>

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>SMWAMUI:host163.ps.com__0</StringValue>

                </Property>

     

      <Object class="CA.SM::Admin" Xid="CA.SM::Admin@12-22d924a9-5df8-4b02-b78f-10e0a3cd7f06" CreatedDateTime="2014-09-17T15:32:06" ModifiedDateTime="2014-09-17T15:32:06" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">

                <Property Name="CA.SM::Admin.DirectoryAuth">

                    <BooleanValue>false</BooleanValue>

                </Property>

                <Property Name="CA.SM::Admin.Rights">

                    <NumberValue>15</NumberValue>

                </Property>

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>nAc.G^RKb#_Wpg$_bmN*Z26/gq~-so-@tHPUNaSLjb64c%PmEZ)U7K8p9RuP:LA|k8V&lt;5|9t57r.Z5zwkv3E9Y4N&lt;@.k2W8K52bB[7|S/DDZ%.v?9;&gt;2k5~.6$-zatB4</StringValue>

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>SMWAMUI:host163.ps.com__1</StringValue>

                </Property>

     

    Non working server

     

     

    </Object><!-- Xid="CA.SM::Admin@12-6f9a4554-5570-4fe7-a8e0-995d6310f403" -->

            <Object class="CA.SM::Admin" Xid="CA.SM::Admin@12-0158b324-2ab7-48d4-8d1d-6d40e0fc6d02" CreatedDateTime="2014-09-26T15:39:10" ModifiedDateTime="2014-09-26T15:39:10" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">

                <Property Name="CA.SM::Admin.DirectoryAuth">

                    <BooleanValue>false</BooleanValue>

                </Property>

                <Property Name="CA.SM::Admin.Rights">

                    <NumberValue>15</NumberValue>

                </Property>

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>8Z_#MpX+kp563|N7655)-/BZ8AkG)Hti6&amp;7H8N~t{A=HgGU#&amp;iMs78k6q[3&gt;AR.3&gt;|#ag|BN/:Z*V462h\:?3X5igk-^//[s7mPU,r26*GR/&gt;R?&lt;?66$c/TMDzp99o!j</StringValue>

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>SMWAMUI:host153.ps.com__0</StringValue>

                </Property>

     

    <Object class="CA.SM::Admin" Xid="CA.SM::Admin@12-f8dc7067-80c9-41a9-9607-b1af90ed7140" CreatedDateTime="2014-10-24T22:11:25" ModifiedDateTime="2014-10-24T22:11:25" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">

                <Property Name="CA.SM::Admin.DirectoryAuth">

                    <BooleanValue>false</BooleanValue>

                </Property>

                <Property Name="CA.SM::Admin.Rights">

                    <NumberValue>15</NumberValue>

                </Property>

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>e99eK6S\&gt;aq8n6M_KY#2vVo^)+3E:nt.L6vdhBhw,wv*/X\2pVYYa[m&amp;2ZWXS9w}FJ:tZzu|2?ouV9kB4Y7&amp;W%-gkk3q4&amp;&lt;U$Ky#J[:2HPvt7*RDg]8}#T=[ob#sZX4q</StringValue>

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>SMWAMUI:host153.ps.com__1</StringValue>

                </Property>

     

     

    Please let me know if you have any other questions.

     

    Thanks,

    Satish



  • 5.  Re: Legacy super user login issue with the Administrative UI

    Posted Nov 09, 2014 09:02 PM

    Hi Satish,

     

    Please clarify few more things :

     

    1. Is your PS1 and PS2 both Windows ?  You can copy over the EncryptioinKey file only in windows operating system. Also, if this is windows then you can't find the registry physical file at <INSTALL_HOME>/CA/siteminder/registry as they are actually stored in windows registry in path :


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder (64bit windows )

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder (32 bit windows)

     

    2. From your working policy store export, we can see that the password for the super user is : AVegtZU6g9IYLMWlh

    However, from your non working policy store export we can't see the export for the "siteminder" user ..so can't really see what password it is set to ..

     

    3. If there are still issues connecting, reset the password for the user being used to connect to the Policy Store (if you are using a separate encryption key for the key store, you may need to reset it as well if you needed to reset the Policy Store admin user's password) , re-enter the new password in the smconsole and test connectivity to the policy store/key store.

     

    If this still doesn't work , we will need to reset the encryption key in both Policy server using command :

     

    smreg -key <new key>

    The details for this approach is discussed here :http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec454251.aspx

     

    Hope this helps.

     

    Cheers,

    Ujwol



  • 6.  Re: Legacy super user login issue with the Administrative UI

    Posted Dec 10, 2014 02:17 AM

    Hi Ujwol,

     

    I have also tried to reset encryption keys. But that did not help either still the same issue. I have built a similar environment in my lab. There too I am facing this same issue.

    CA has given up support for this issue. They are saying its an unsupported configuration which is not right. This type of configuration has been successfuly working on three of other environments. One is running on the exact same version.

     

    Please suggest.

     

    Thanks,

    Satish



  • 7.  Re: Legacy super user login issue with the Administrative UI

    Posted Dec 10, 2014 09:56 PM

    Hi Satish,

     

    If your configuration is as below:

    ###

    AdminUI 1 --> PS 1 -- Policy Store A

    AdminUI 2 --> PS 2 -- Policy Store A

     

    and you want to be able to use the legacy siteminder super user - "siteminder" to be able to login to both Admin UI and manage SiteMinder object.

    ###

     

    I don't see any reason why this is not supported. What is the reason in the case that said this is unsupported?

     

    Back to the issue, I'm interested to see what is the siteminder password when you run xpsexport -xb -npass from both environment. In your previous update, the working server has below:

     

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>AVegtZU6g9IYLMWlh</StringValue> (That's the password which I have been trying to set for both Policy servers)

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>siteminder</StringValue>

                </Property>

     

    but I can't find the siteminder user password in the non working server. (Probably you miss the siteminder portion in earlier update)

     

    As both policy servers point to same policy store, I expect to see the same password. This need to be confirmed from the xpsexport.

     

    I have tested in my environment by pointing two policy servers to same policy store and I don't have problem login to adminUI with legacy siteminder user.

    I register the adminui with

    xpsregclient [siteminder]:[password] -adminui-setup

     

    If the legacy user password is incorrect, you will not be able to register the adminUI at PS2

    For example, I gave wrong password when I try to register the adminUI 2:

    ie:

    C:\Users\Administrator>xpsregclient siteminder:password11 -adminui-setup

    [XPSRegClient - XPS Version 12.52.0000.142]

    Log output: XPSRegClient.2014-12-11_134738.log

    Initializing system, please wait...

    Validating client name, please wait...

    (FATAL) : [sm-xpsxps-04670] Invalid administrator credentials.

     

    In your case, I assume the ps1, adminui1 are working and the non-working is adminui2. If you re-register the adminui 2 at ps2, are you able to go thru the xpsregclient with the super user (siteminder) password as what you use when login to adminUI 1?

     

    Regards,

    Kar Meng



  • 8.  Re: Legacy super user login issue with the Administrative UI

    Posted Dec 11, 2014 06:51 AM

    Hi Karmeng

     

    On the second policy export. The password was showing in an encrypted text

     

           <Property Name="CA.SM::Admin.Password">

                    <StringValue>!~X&gt;]?e88;&lt;XUzw7zk,#h]6%LGe2},}/b4orEfZNWLgz&amp;t3uE33Ut;c&amp;39\2&gt;eC^&gt;9n:!&amp;.Hi]iw4D4pTJV2.s;\nYy-Sj,5_[(c!ZrN9;mEJ8D|}T@67D(CfN,&gt;CtHN</StringValue>

     

    Both adminUI1 and adminUI2 works. But at one point of time only one of them works.

     

    Please help.



  • 9.  Re: Legacy super user login issue with the Administrative UI

    Posted Dec 11, 2014 10:53 PM

    Hi Satish,

     

    The portion you provided is not legacy administrator siteminder user password. The password string that you provided in previous post is related to admin name "SMWAMUI:host163.ps.com__0"

     

    <Property Name="CA.SM::Admin.Rights">

                    <NumberValue>15</NumberValue>

                </Property>

                <Property Name="CA.SM::Admin.Password">

                    <StringValue>!~X&gt;]?e88;&lt;XUzw7zk,#h]6%LGe2},}/b4orEfZNWLgz&amp;t3uE33Ut;c&amp;39\2&gt;eC^&gt;9n:!&amp;.Hi]iw4D4pTJV2.s;\nYy-Sj,5_[(c!ZrN9;mEJ8D|}T@67D(CfN,&gt;CtHN</StringValue>

                </Property>

                <Property Name="CA.SM::Admin.Name">

                    <StringValue>SMWAMUI:host163.ps.com__0</StringValue>

                </Property>

     

    We need to first identify what's the password for siteminder user in policy export from policy server 2.

     

    What is the CA support issue number that the engineer said this is not supported? I can take a look on the issue to help me understand why the engineer said this is not supported.

     

    Regards,

    Kar Meng



  • 10.  Re: Legacy super user login issue with the Administrative UI

    Posted Feb 04, 2015 04:55 AM

    hi Karmeng

     

    Thanks for replying to my email.

    CA Support Request 21957718 01 - SITEMINDER PASSWORD RESET

     

    Please help.

     

    Thanks,

    Satish



  • 11.  Re: Legacy super user login issue with the Administrative UI
    Best Answer

    Posted Feb 08, 2015 09:17 PM

    Hi Satish,

     

    I checked the issue was closed and you proceed to external admin store. For this thread, the bottom line is to make sure both policy servers read the legacy administrator (siteminder) password from policy store contain the same value. When export policy data from both policy servers, the password for siteminder need to be the same.

    ie:

    <Property Name="CA.SM::Admin.Password">
                    <StringValue>AVegtZU6g9IYLMWlh</StringValue>
                </Property>

                <Property Name="CA.SM::Admin.Name">
                    <StringValue>siteminder</StringValue>
                </Property>

     

    If the export shows the value is different when export from PS1 and PS2, then the login is expected to work on one.

    If the export shows the value is same, then we might need to looks elsewhere for possible root cause.

     

    In short, what I need to ensure is both policy servers use the same encryption key. This key is used to decrypt sensitive data in the Policy Store. Data encrypted with the Policy Server Encryption Key from the Policy Server(ps1) cannot be decrypted in the Policy Store by the Policy Server(ps2) unless it is using the same key.

     

    As you have working environment, you can verify if this theory stand.

     

    Regards,

    Kar Meng