Symantec Access Management

Expand all | Collapse all

Issue with importing policy export

  • 1.  Issue with importing policy export

    Posted Jul 27, 2015 09:55 AM

    Hi,

     

    It is NOT yet resolved. I decided to go forward with new strategy, initialize the policy store with 1252 sp1cr1 and then import the data. Unfortutantely import is failing w/o overwrite and if i say "overwrite DB" then it is overwriting the port of policy store with 1252 sp1cr1.

     

    During XPSImport -validate, no inconsistancies reported with policy store data but still import failed.

     

    Any thoughts?.



  • 2.  Re: Issue with importing policy export

    Posted Jul 28, 2015 04:47 AM

    Hi Sanjay,

     

    I have branched out the importing policy export issue with new post.

     

    If I understand correctly, your concerns of overwriting the policy store is due to the policy configuration data being overwritten, is that correct?

     

    If so, instead of doing a dump export with -xb, try export the policy data using combination of  -xe -xi -xp -xs (for R12.52 SP1 release).

     

    Best regards,

    Kelly



  • 3.  Re: Issue with importing policy export

    Posted Jul 29, 2015 10:24 AM

    Hi,

     

    Thanks for your reply.

     

    I will attempt this and will revert with my findings.

     

    Regards,

    Sanjay



  • 4.  Re: Issue with importing policy export

    Posted Jul 30, 2015 08:53 AM

    Hi,

     

    I attempted the export as per options specified and imported but it failed.

     

    It's going to be tedious but I am going to attempt the export by object types and see if that helps.

     

    Regards,

    Sanjay



  • 5.  Re: Issue with importing policy export

    Posted Jul 30, 2015 11:06 AM

    Hi Kelly,

     

    I have a question for you.

     

    Whenever I am importing, it says

    10:28:14 Saving                      1513/1513      100%       00:00:11

    (INFO) : [sm-xpsxps-05820] Import complete.

     

    and then take long hours 2-3 or sometimes not even complete to give message "import failed".

     

    I am just curious why it is taking so much time.

     

    Any thoughts?

     

    Thanks,

    Sanjay



  • 6.  Re: Issue with importing policy export

    Posted Jul 30, 2015 01:18 PM

    Hi Sanjay,

     

    Could you please let us know which OS you are using here. In case of linux distribution, you will have to increase the entropy of the system.

    try XPSSweeper to see if store is in consistent state or not.

     

    Thanks,

    Ankush



  • 7.  Re: Issue with importing policy export

    Posted Jul 30, 2015 02:01 PM

    Hi Ankush,

     

    Thanks for checking.

     

    FYI - My entropy is # 3072 and Unix version is 2.6.32-279.9.1.el6.x86_64 and nproc is set to 16384.



  • 8.  Re: Issue with importing policy export

    Posted Jul 30, 2015 02:05 PM

    Hi Sanjay,

     

    what is version of rhel ?

    Please try with XPSSweeper command and see if you get any error or not wrt policy store.

     

    Thanks,

    Ankush



  • 9.  Re: Issue with importing policy export

    Posted Jul 30, 2015 02:30 PM

    Hi Ankush,

     

    When i ran XPSSweeper,

    3853 object(s) loaded from the Policy Store.

    It took around 1 hour to complete it.

    No errors reported.

     

    This puzzles me and unable to get over it.

    1. No errors during XPSImport -validateonly

    2. No errors during XPSSweeper

     

    But still during XPSImport .. after (INFO)  Import Complete .. it waits for 3-4 hours and no updates are being done.

     

    What I am really missing here for XPSImport to work well for bulk imports ..We are using daily XPSExport, XPSImport and XPSExplorer on daily basis but no issues with sinle policy promotion.

     

    Any ideas please ..



  • 10.  Re: Issue with importing policy export

    Posted Jul 31, 2015 01:29 AM

    Hi Sanjay,

     

    To my knowledge, when XPSImport says "Import Complete" it just means it has completed reading the export file and completed validation and is now going to commit the changes to the Policy store.

    So if import utility is waiting for very long time after it prints this message it seems that your policy store is slow to operate.

    I know that our logging for the import isn't that great so you might not be knowing what it is doing in those times.

     

    Try to enable XPS tracing (XPSConfig-->xTrace--> Select all components) and see if that prints additional log messages in the Polcy server trace to indicate the progress.

    However, to fix the slowness issue, you will need to tune your policy store.

     

    Cheers,

    Ujwol Shrestha



  • 11.  Re: Issue with importing policy export

    Posted Jul 31, 2015 11:52 AM

    hi Ujwol,

     

    Very much appreciated your time to followup on this and providing your valuable inputs.

     

    I will certainly enable XPSConfig to get additional info.

     

    But I would like to go back ot basics on XPSExport.

     

    I have initialized policy store with 1252 Sp1 Cr2 and then just want to export Only Policy Data (Agents,Groups, ACO, Auth Schemes, Admins, Domains, User Directories). I can do that w/o XPSExplorer and Using XPSExport -xa or -xe -xi -xp -xs alongwith filename -vT -npass . and then XPSImport filename -vT -npass , it should work right.w/o any issues, correct?

     

    Am i doing anything wrong here ?

     

    Please suggest.

     

    Thanks,

    Sanjay



  • 12.  Re: Issue with importing policy export
    Best Answer

    Posted Aug 02, 2015 08:53 PM

    Hi Sanjay,

     

     

    Based on R12.52Sp1 bookshelf, -xa option has been deprecated and has been superseded by -xe and -xp option.

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?389218.html?zoom_highlightsub=xpsexport

     

    A bit detail on some of the option that you mentioned :

    -xe = Exports the object types that are related to the execution environment.

    e.g ACO, HCO, Authscheme, User Directory, Agent, AgentGroup, TrustedHost,VariableType,SharedSecretPolicy etc

     

    -xp = Exports the object types that are related to the policies.

    e.g Domains, Policy, realms, rules etc

     

    -xs =  Exports the entire security data.

    e.g Admin

     

    -xi = Exports the object types that were initially installed.

    e.g AgentType, AgentTypeAttr

     

    So I believe, for your use case it is sufficient to use -xe -xp -xs options.

    You don't really need to use -xi option as this will export object type that were initially installed which you most probably will already be having in your new policy store if you have imported default policy (smpolicy.xml).

     

    Please give it a go and let us know if you face any issues.

     

    Regards,

    Ujwol Shrestha