Symantec Access Management

This is created on behalf of our community user : Venga

Hi Ujwol,

I tried setting up the APS in my environment and while tried accessing the URL :http://xyz.mydomain.com/aps/fps/Forgot.exe?Target=http://xyx.mydomain.com/fp it displays the following error message- "Unable to initialize agent" .

If I hit http://xyz.mydomain.com/aps/apsadmin/apsadmin.exe then it displays below error.

SM-APS-15003 = APS Administration Service must run under a Web Agent."

Is there anything I'm missing out?

Hi Venga,

The error ""Unable to initialize agent"  while accessing Forgot password change interface (Forgot.exe) indicates that you haven't yet configured SmPortal.cfg.

This is required to initialize the client side agent and to be able to communicate with the Policy Server.

More details can be find here : https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/784519.html

For your reference here is what you will need to define in SmPortal.cfg:

*********************************************************

;;Define Policy Servers

Servers=MyServer

MyServer.ip=127.0.0.1

;;Define 4x Agents to be used for Forgot Password and Change Password Services

Agents=FPS,SMCPW

FPS.Servers=MyServer

FPS.Secret=secret

;; FPS.RoundRobin

SMCPW.Servers=MyServer

SMCPW.Secret=secret

;; SMCPW.RoundRobin

;;Define Services that needs to be configured, This need to match exactly as below

;;Service Name for Forgot Password is FPS.smaps

;;Service Name for Change Password is API.smaps

Services=API.smaps,FPS.smaps

API.smaps.Agent=SMCPW

FPS.smaps.Agent=FPS

*********************************************************

For APSAdmin also you will need to do the same thing. The Service Name for APSAdmin is "APSAdmin.smaps".

You will also need to map the agent_home\bin\web\APSAdmin directory to your web server as a virtual CGI directory.

Let me know how it goes.

Cheers,

Ujwol Shrestha

Hi Ujwol,

As mentioned I have configured the SmPortal.cfg file. After that I have tested below functionalities.

I have tried Change Password use case it was successful.

I have tried invoking the FPS URL and it successfully displayed me the Identify.asp page but when submit the values it's throws below error.

[ERROR: [SM-APS-07331] Unable to locate Directory Object for host "<host name>"][SmTransact(APS): ERROR: [SM-APS-07331] Unable to locate Directory Object for host "10.242.245.163"]

[07/28/2015][14:39:25.500][14:39:25][1844][2084][CServer.cpp:262][ServerTrace][][][][][][][][][][][][][][][][][][][][ERROR: [SM-APS-07332] This host does not match any User Directories defined in the Policy Store][SmTransact(APS): ERROR: [SM-APS-07332] This host does not match any User Directories defined in the Policy Store]

Can you please help here?

Hi Venga,

Good to see you are making progress there.So your original issue seems to have now resolved.

Now, the next error that you are getting is :

[ERROR: [SM-APS-07331] Unable to locate Directory Object for host "<host name>"][SmTransact(APS): ERROR: [SM-APS-07331] Unable to locate Directory Object for host "10.242.245.163"]

[07/28/2015][14:39:25.500][14:39:25][1844][2084][CServer.cpp:262][ServerTrace][][][][][][][][][][][][][][][][][][][][ERROR: [SM-APS-07332] This host does not match any User Directories defined in the Policy Store][SmTransact(APS): ERROR: [SM-APS-07332] This host does not match any User Directories defined in the Policy Store]

This indicates that you haven't properly configured your APS.cfg.

I will suggest you to go through the APS documentation (or APS.cfg ) file and understand each of the attributes and configure them appropriately.

For this particular error, it is clear that your policy store doesn't have the "User Directory" object matching it.

Next Action:

=======

Go back to Admin UI and copy the host name and the port number that you have configured for the User Directory object (where you want the user to be looked up for FPS) and use that as a value for "Directory" setting as below :

******************************************************

///////////////////////////////////////////////////////////////////////

// The Directory setting specifies the directory that FPS will search

// for users. Only a single directory is supported for FPS.

//

// The value of this setting can be the name or directory designator

// of the directory. FPS will query the User Directory definitions in

// SiteMinder's Policy Store and try to match up a definition with this

// value. For LDAP directories, ip addresses (with optional port),

// network names and SiteMinder User Directory names will work. For

// ODBC directories, the DSN and the SiteMinder User Directory names

// will work.

///////////////////////////////////////////////////////////////////////

Directory=vm1.ujwol.com:389

***************************************************************************************

Please note, you will also need to configure remaining attributes for other FPS sections as well.

FPS sections can be found as they will begin with [FPS-***] e.g [FPS] [FPS-Identify] etc

APS guide : Advanced Password Services (APS) Guide

Cheers,

Ujwol Shrestha