Symantec Access Management

Hi,

today I installed and re-installed a few times SPS. At any time I wasn't able to manage it and I don't know what can I be doing wrong. Maybe is a configuration fail. Anyway, I'm not that expert in networking and in CA SSO and I'm sure I configured something wrongly but I don't notice what. I'm explaining you the configuration SPS process I did:

1. CA SP in perfectly installed on a virtual machine A with IP x.x.x.23. I want to run CA SPS on another virtual machine B with IP x.x.x.22. Both machines belong to same domain.
2. I start running CA SPS configuration wizard.
3. I provide the version of the Policy Server: 12.5x.x
4. I select option "Yes, I would like to do Host Registration" and I don't enable "PKCS11 DLL Cryptographic Harware".
5. I type same Admin User Name and Admin Password than in CA PS. I don't enable "Shared Secret Rollover"
6. I type "trusted_host_conf_obj" on Trusted Host Name and "HCOConfObj" on Host Configuration Object. Before click on Next, I go to the machine A, where CA SP is running, and in Trusted Hosts I create a Host Configuration named "HCOConfObj". Which values are
   • Policy Server.Host = x.x.x.23 (IP of virtual machine where CA SP is running)
   • Policy Server.Accounting Port = 44441
   • Policy Server.Accounting Port = 44442
   • Policy Server.Authorization Port = 44443.
7. I go back to machine B and click next.
8. I add IP address of machine A: x.x.x.23
9. I select option "FIPS Compatibility Mode".
10. I let default values of Host Configuration file location.
11. I type "apache-aco" in field Agent Configuration Object. Again, before clicking on Next, I go to the machine A to create that object. So I create in Agent Configuration Objects an object called "apache-aco" with this values
    • DefaultAgentName = secureproxy
    • DefaultPassword = siteminder
    • DefaultUserName = siteminder
    • LogoffUri = /proxyui/logout
12. I back to machine B and click on Next.
13. I let default values of Web Agent file location.
14. I type "apache-secury-proxy" on Agent and before clicking on Next I create in machine A an object called "apache-secury-proxy" in Agents.
15. Back to machine B and click on Next.
16. I fill Apache Configuration form:
    • Server Name = x.x.x.22 (where is going CA SPS to run)
    • Admin's Email = any@email.com
    • HTTP Port = 80
    • SSL Port = 443
17. I fill Tomcat Configuration form:
    • HTTP Port = 8080
    • SSL Port = 543
18. I fill Shutdown and AJP Port form
    • Shutdown Port = 8005
    • AJP Port = 8009
19. I enable WebAgent but don't Enable Federation Gateway
20. I enter a Master Key
21. Before click on install I got this message

    • Configure the following information:

    • Policy Server Version:  12.5

    •     FIPS Mode:  COMPAT

    •     Server Name: x.x.x.22

    •     Admin's Email Address: admin@mycompany.com

    •     HTTP Port: 80

    •     SSL Port: 443

    •     Tomcat HTTP Port: 8080

    •     Tomcat SSL Port: 543

    •     Shutdown Port: 8005

    •     AJP Port: 8009

    •     Enable Federation Gateway: no

    •     Is Webagent Enabled: YES

22. Click on Install.
23. After that I check that CA SP is running
24. I try to access through IE to the GUI and... http://x.x.x.22:8080/proxyui/ or http://localhost:8080/proxyui/

Internet Explorer cannot display the webpage

With http://x.x.x.22/proxyui/ or http://localhost/proxyui doesn't work neither. What I got is

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

I execute on cmd "netstat -a -n -o | find 8080" but got nothing. I can ping machine A, machine B, the machine where DNS is running, etc. Executing nslookup I don't get any error...

What am I doing wrong? Thanks in advance

what is server.log showing ?Any errors ?

Didn't think about it! Ok, let's see. As far as I can see it always displays same lines:

server.log (CA SiteMinder Secure Proxy)

[05/ago/2015:09:47:28-225] [INFO] - CA Secure Proxy Server

[05/ago/2015:09:47:28-225] [INFO] - Versión 12.52 , actualización 0000  y etiqueta 142

[05/ago/2015:09:47:28-225] [INFO] - Versión del archivo: 12.52 .0000 .142

[05/ago/2015:09:47:28-225] [INFO] - Copyright CA Technologies, 1996-2012

[05/ago/2015:09:47:28-225] [INFO] - Loading services...

[05/ago/2015:09:47:28-240] [INFO] - Load of services: forward name, class org.tigris.noodle.Noodle and properties {http_connection_pool_min_size=4, http_connection_timeout=0, http_connection_stalecheck=false, http_connection_pool_connection_timeout=1 minute, http_connection_pool_wait_timeout=0, protocol.multiple=true, http_connection_pool_max_size=20, http_connection_pool_max_attempts=3, http_connection_pool_incremental_factor=4}

[05/ago/2015:09:47:28-256] [INFO] - Load of services: redirect name, class com.netegrity.proxy.service.RedirectService and properties {}

[05/ago/2015:09:47:28-256] [INFO] - Services loaded.

[05/ago/2015:09:47:28-256] [INFO] - Start storing of sessions(com.netegrity.proxy.session.SimpleSessionStore)

[05/ago/2015:09:47:28-256] [INFO] - Session store initiated.

[05/ago/2015:09:47:28-256] [INFO] - service_dispatcher_loaded

[05/ago/2015:09:47:28-256] [INFO] - Loading schemes of session...

[05/ago/2015:09:47:28-256] [INFO] - Load of scheme of session: default

[05/ago/2015:09:47:28-271] [INFO] - Load of scheme of session: ssl_id

[05/ago/2015:09:47:28-271] [INFO] - Load of scheme of session: simple_url

[05/ago/2015:09:47:29-426] [INFO] - Load of scheme of session: minicookie

[05/ago/2015:09:47:29-426] [INFO] - Load of scheme of session: device_id

[05/ago/2015:09:47:29-426] [INFO] - Schemes of session loaded.

[05/ago/2015:09:47:29-426] [INFO] - Loading agents of users...

[05/ago/2015:09:47:29-426] [INFO] - Agents of users loaded.

[05/ago/2015:09:47:29-426] [INFO] - Loading virtual hosts...

[05/ago/2015:09:47:29-426] [INFO] - Load of virtual host: default

[05/ago/2015:09:47:29-426] [INFO] - No User Management Server Configured.

[05/ago/2015:09:47:29-426] [INFO] - No Password Services Server Configured.

[05/ago/2015:09:47:29-441] [INFO] - load_metric_reporter

[05/ago/2015:09:47:29-457] [INFO] - load_contexts

[05/ago/2015:09:47:29-457] [INFO] - load_contexts

[05/ago/2015:09:47:29-457] [INFO] - load_contexts

[05/ago/2015:09:47:29-457] [INFO] - load_contexts

[05/ago/2015:09:47:29-457] [INFO] - load_contexts

[05/ago/2015:09:47:29-972] [INFO] - Starting scheduler service [global-scheduler]

//Moment when I try to access to Proxy UI

[05/ago/2015:09:47:37-881] [ERROR] - log4j:WARN Unrecognized element rollingPolicy

[05/ago/2015:09:47:38-911] [INFO] - INFO: using ARCOT_HOME C:\Program Files (x86)\CA\secure-proxy\arcot

[05/ago/2015:09:47:38-911] [INFO] - Logging configuration initialization/refresh from C:\Program Files (x86)\CA\secure-proxy\arcot\conf\cawebflow_log4j.xml

[05/ago/2015:09:47:38-926] [ERROR] - log4j:WARN Unrecognized element rollingPolicy

[05/ago/2015:09:47:38-926] [INFO] - Logging for com.ca.aa.ui started with output to C:/Program Files (x86)/CA/secure-proxy/arcot/logs/CAWebFlowLog.txt (CWD=C:\Program Files (x86)\CA\secure-proxy\proxy-engine)

[05/ago/2015:09:47:38-973] [INFO] - Bootstrap configuration directory=C:\Program Files (x86)\CA\secure-proxy\arcot/conf/

[05/ago/2015:09:47:39-363] [INFO] - driver loaded

[05/ago/2015:09:47:44-386] [INFO] - AbandonedObjectPool is used (org.apache.commons.dbcp.AbandonedObjectPool@85f3d6)

[05/ago/2015:09:47:44-386] [INFO] -    LogAbandoned: false

[05/ago/2015:09:47:44-386] [INFO] -    RemoveAbandoned: true

[05/ago/2015:09:47:44-386] [INFO] -    RemoveAbandonedTimeout: 300

If I click on IE Diagnose Connection Problems what I get is: The remote device or resource won't accept the connection. Is everything ok what I wrote above in my first post? Did I configure something wrongly?

Thanks

I made a change in the configuration:

1. CA SP in perfectly installed on a virtual machine A with IP x.x.x.23. I want to run CA SPS on another virtual machine B with IP x.x.x.22. Both machines belong to same domain.
2. I start running CA SPS configuration wizard.
3. I provide the version of the Policy Server: 12.5x.x
4. I select option "Yes, I would like to do Host Registration" and I don't enable "PKCS11 DLL Cryptographic Harware".
5. I type same Admin User Name and Admin Password than in CA PS. I don't enable "Shared Secret Rollover"
6. I type "machine B"(NEW NAME!) on Trusted Host Name and "HCOConfObj" on Host Configuration Object. Before click on Next, I go to the machine A, where CA SP is running, and in Trusted Hosts I create a Host Configuration named "HCOConfObj". Which values are
   • Policy Server.Host = x.x.x.23 (IP of virtual machine where CA SP is running)
   • Policy Server.Accounting Port = 44441
   • Policy Server.Accounting Port = 44442
   • Policy Server.Authorization Port = 44443.
7. I go back to machine B and click next.
8. I add IP address of machine A: x.x.x.23
9. I select option "FIPS Compatibility Mode".
10. I let default values of Host Configuration file location.
11. I type "apache-aco" in field Agent Configuration Object. Again, before clicking on Next, I go to the machine A to create that object. So I create in Agent Configuration Objects an object called "apache-aco" with this values
    • DefaultAgentName = secure-proxy-agent
    • DefaultName = secure-proxy-agent (NEW FIELD!)
      
    • LogoffUri = /proxyui/logout
12. I back to machine B and click on Next.
13. I let default values of Web Agent file location.
14. I type "apache-secury-proxy" on Agent and before clicking on Next I create in machine A an object called "apache-secury-proxy" in Agents.
15. Back to machine B and click on Next.
16. I fill Apache Configuration form:
    • Server Name = x.x.x.22 (where is going CA SPS to run)
    • Admin's Email = any@email.com
    • HTTP Port = 80
    • SSL Port = 443
17. I fill Tomcat Configuration form:
    • HTTP Port = 8080
    • SSL Port = 543
18. I fill Shutdown and AJP Port form
    • Shutdown Port = 8005
    • AJP Port = 8009
19. I enable WebAgent but don't Enable Federation Gateway
20. I enter a Master Key
21. Before click on install I got this message
    • Configure the following information:
    • Policy Server Version:  12.5
    •     FIPS Mode:  COMPAT
    •     Server Name: x.x.x.22
    •     Admin's Email Address: admin@mycompany.com
    •     HTTP Port: 80
    •     SSL Port: 443
    •     Tomcat HTTP Port: 8080
    •     Tomcat SSL Port: 543
    •     Shutdown Port: 8005
    •     AJP Port: 8009
    •     Enable Federation Gateway: no
    •     Is Webagent Enabled: YES
22. Click on Install.
23. After that I check that CA SP is running

And the rest is the same. Thanks

Hi ajcremades,

Check the nohup.out corresponding to the startup.

Best regards,

Kelly

Hi, here it is, the last one:

05-ago-2015 10:49:34 org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["ajp-bio-8009"]

05-ago-2015 10:49:34 org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http-bio-8080"]

05-ago-2015 10:49:34 org.apache.catalina.mbeans.GlobalResourcesLifecycleListener createMBeans

GRAVE: No global naming context defined for server

05-ago-2015 10:49:34 org.apache.catalina.core.StandardService startInternal

INFO: Arrancando servicio Catalina

05-ago-2015 10:49:34 org.apache.catalina.core.StandardEngine startInternal

INFO: Starting Servlet Engine: Apache Tomcat/7.0.39

05-ago-2015 10:49:42 org.apache.catalina.core.ApplicationContext log

INFO: No Spring WebApplicationInitializer types detected on classpath

05-ago-2015 10:49:42 org.apache.catalina.core.ApplicationContext log

INFO: Set web app root system property: 'webapp.root' = [C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\authapp\]

05-ago-2015 10:49:42 org.apache.catalina.core.ApplicationContext log

INFO: Initializing log4j from [file:${ARCOT_HOME}/conf/cawebflow_log4j.xml]

log4j:WARN Unrecognized element rollingPolicy

05-ago-2015 10:49:42 org.apache.catalina.core.ApplicationContext log

INFO: Initializing Spring root WebApplicationContext

INFO: using ARCOT_HOME C:\Program Files (x86)\CA\secure-proxy\arcot

Logging configuration initialization/refresh from C:\Program Files (x86)\CA\secure-proxy\arcot\conf\cawebflow_log4j.xml

log4j:WARN Unrecognized element rollingPolicy

Logging for com.ca.aa.ui started with output to C:/Program Files (x86)/CA/secure-proxy/arcot/logs/CAWebFlowLog.txt (CWD=C:\Program Files (x86)\CA\secure-proxy\proxy-engine)

Bootstrap configuration directory=C:\Program Files (x86)\CA\secure-proxy\arcot/conf/

driver loaded

AbandonedObjectPool is used (org.apache.commons.dbcp.AbandonedObjectPool@102a01f)

  LogAbandoned: false

  RemoveAbandoned: true

  RemoveAbandonedTimeout: 300

hope it helps, because I don't find anything, thanks.

Kind regards,

Adnrés-J. Cremades

Are you able to log in to the Proxy UI? I added a user to my policy-server for this purpose,but when I try to log in the proxy-ui server crashes with 500 "internal server error".

Hi,

no, I'm not.

Hi,

It seems some arcot stuff causing an issue. In server.conf (secure-proxy\proxy-engine\conf), try disable as below (enable="no") for all three of them, restart the proxy engine and test again.

ie:

       <Context name="AALoginService">

    docBase="aaloginservice"

    path="aaloginservice"

    enable="no"

   </Context>

   <Context name="Advacned Auth Application">

    docBase="authapp"

    path="authapp"

    enable="no"

   </Context>

   <Context name="UI Application">

    docBase="uiapp"

    path="uiapp"

    enable="no"

   </Context>

    </Contexts>

Hope this helps.

Kar Meng

Hi,

I modified those fields and now the Proxy UI works. Thanks a lot. What is that arcot thing? Is it a CA Software which works with CA SSO? Will it be ok with those fields deactivated?

Kind regards,

Andrés-J. Cremades

It makes sense now, Good Catch Kar Meng.

https://wiki.ca.com/pages/viewpage.action?pageId=105814500

Did we check the pre-requisite section of SPS Installer.

• Ensure that the CA RiskMinder service is running. To check the status, perform the following steps:Windows

1. 1. Open the Task Manager and verify that the arrfserver process is running.
   2. Navigate to policy_server_installation_path\aas\logs.
   3. Open the cariskminderstartup.log file and verify that the folllowing line exists at the end of the file:

CA RiskMinder Service READYUNIX

1. 1. Run the ps command and verify that the arrfserver and arrfwatchdog processes are running.
   2. Navigate to policy_server_installation_path/aas/logs.
   3. Open the cariskminderstartup.log file and verify that the folllowing line exists at the end of the file:

CA RiskMinder Service READY

It looks like we did not have CA RiskMinder Services on Policy Server machine configured. Hence Secure Proxy Server did not initialize correctly.

Regards

Hubert

Hi Hubert,

it seems I didn't check all the pre-requisites because I didn't install CA RiskMinder. I don't have any cariskminderstartup.log. I'll check it everything again. Thanks.

Kr,

Andrés-J. Cremades

Is it absolutely necessary to have installed CA Risk Authentication (formerly CA RiskMinder)? If it is, have to be installed separately? Or have to be installed with the Police Server or the SPS?

Starting R12.52 RiskMinder is shipped along with Policy Server Installer. This is for the CA SSO Session Assurance Feature. There is an App which is deployed on SPS. This App interacts with Policy Server and RiskMinder.

The policy server install guide has steps to configure riskminder services after installing and configuring the policy server. If we do not configure the riskminder services on policy server, then disable the app (on SPS) which communicates with riskminder.

Regards

Hubert

Hi,

now there is another problem: I cannot login into SPS UI. It's weird because I'm sure that Admin User credentials are right.

Kind regards,

Andrés-J. Cremades

Hi,

I installed again CA SSO and CA SPS. If I'm able to configure SPS it means that there is a connection between it and the Policy Server, otherwise, how can tell the SPS Wizard Configuration that in Policy Server exists the agents to need to establish connection? I checked the agents too:

• Web Agent I called "secureproxyapache" is in the right domain, the one what was created during SPS configuration.
  • Realm Associations
    • Domain: DOMAIN-SPSADMINUI-secureproxyagent; Realm: REALM-GRPSYNC-SPSADMINUI-secureproxyagent 
    • Domain: DOMAIN-SPSADMINUI-secureproxyagent: Realm: REALM-SPSADMINUI-secureproxyagent
• Agent Configuration Object "apacheAco" has these parameters:
  • DefaultAgentName: secureproxyapache
  • DefaultPassword:    siteminder
  • DefaultUserName:   siteminder
  • LogoffUri:               /proxyui/logout
• Host Configuration Objects:
  • HCOConfObj:  Policy Server
    • Host x.x.x.23 (IP Address of Policy Server)
    • Accounting Port: 44441
    • Authentication Port: 44442
    • Authorization Port: 44443
• Domain:  DOMAIN-SPSADMINUI-secureproxyagent --> Domain for protecting proxyUI
• Realms:
  • Domain: DOMAIN-SPSADMINUI-secureproxyagent;Parent Realm: REALM-SPSADMINUI-secureproxyagent; Name: REALM-GRPSYNC-SPSADMINUI-secureproxyagent; Agent  secureproxyagent; Resource FIlter: /GroupSyncServlet
  • Domain: DOMAIN-SPSADMINUI-secureproxyagent;Name: REALM-SPSADMINUI-secureproxyagent; Agent: secureproxyagent; Resource Filter: /proxyui

When I disabled those properties I could reach Proxy UI but then told me that user credentials where wrong when I know they were not. After a re-installation and re-configuration what I get now is a HTTP 500 error (without disabling anything). Both hosts are running and are reachable. Do you see any other reason why is this connection failing?

LAST-MINUTE NEW: Sometimes, when I try to browse to http://localhost/proxyui/ I get a "Service Unavailable:The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."

Kind regards,

Andrés-J. Cremades

Hi Andreas,

Thanks for your update. I think the unable to login is different issue. The important thing is to disable the AA setting in the server.conf and allow you to access to the /proxyui page. The user that you provided unable to login could be due to the policy configured for the domain. Did you add all users to the policy that protect the /proxyui domain?

Ok. Understood. I checked the domain and it doesn't any user directory yet. I thought I could do that later. Have to be this admin user in the user directory? I thought admin users were independents and Policy Server and Secure Proxy Server handled them.

I must say that I'm trying to deploy the simplest CA SSO scenario in a closed environment:

• CA Policy Server (installed)
• CA Secure Proxy Server (installed)
• CA Admin UI (installed)
• User Store (no connection yet)
• Policy Store (through CA Directory)
• Key Store (through CA Directory)

I am going to keep this definition very simple. I just configured SPS ProxyUI and then also implemented the SPS Group Feature.

• If we are not using the SPS Group Configuration Feature and only using ProxyUI to administer a Single SPS instance, then adding the SiteMinder User Directory Object, User to “DOMAIN-SPSADMINUI-wa-<instancename>” (Policy Domain) Policy is enough.

• For SPS Group Configuration Feature the user in the “DOMAIN-SPSADMINUI-wa-<instancename>” Policy Domain’s policy has also to be defined as a SiteMinder Administrator defined through the WAM UI.

I hope this clearly differentiates the steps.

Step-1

Creation of SiteMinder User Directory is Mandatory.

Step-2

Adding the User from SiteMinder User Directory into the Policy of the Policy Domain "DOMAIN-SPSADMINUI-sps" is Mandatory.

Step-1 and Step-2 will ensure that you are able to login to ProxyUI.

Now after we login to ProxyUI, we would see an Error on the UI. As I said earlier. we can still continue to manage the Single SPS instance at this stage. So if you are setting up a basic SPS this is all you need to do.

Movng forward, if we need to use the SPS Group Feature then

Step-3

user in the “DOMAIN-SPSADMINUI-wa-<instancename>” Policy Domain’s policy (Step-2) has also to be defined additionally as a SiteMinder Administrator defined through the Administration UI.

Now follow the Steps defined in the Wiki.

https://wiki.ca.com/display/sm1252sp1/Group%20Configuration%20Settings%20Configuration

Regards

Hubert

One thing I see in your description is that you have not correctly set the DefautAgentName in your ACO to the agent name you created. One is secureproxyapache and the other is secureproxyagent. This will prevent you from being able to log in. I suggest before starting the proxy configuration, that you create all the policy server objects (Agent, ACO, HCO), set the defaultagentname in the ACO, then refresh the PS cache. Then run the proxy configuration. At this point, you may be able to change the ACO parameter defaultagentname, refresh the cache, and  see if it works.

These are the bare minimum steps to get a ProxyUI working with a single instance of SPS.

INSTALL PS AND WAM UI

Install a OOB Policy Server and WAM UI on Machine-1.

I used R12.52 SP1 CR02 766 build PS with JDK7 update 80 and JCE applied.

CREATE OBJECT

Login to WAM UI using ‘SiteMinder’ super user and create the following objects.

1. A SiteMinder User Directory Object.
2. WebAgent Object and ACO for SPS1.
   1. wa_sps1
   2. wac_sps1 (add wa_sps1 in DefaultAgentName).

INSTALL AND CONFIGURE SPS

1. I created a user and group called ‘smuser’ on Machine-2 (OS was RHEl6).
2. Install JDK on Machine-2. I used JDK7 update 80 and JCE applied.
3. Installed SPS on path /smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/proxy-engine
4. I used ‘smuser’ as the Tomcat user instead of default ‘nobody’.
5. Used the following ports
6. Apache http 8442, Apache https 8443, Tomcat 8080, SSL 543, APJ ports 8005 and 8009.
7. Used wac_sps1 for ACO and AgentName in SPS Configuration Wizard wa_sps1.
8. After SPS was installed and configured successfully, start the SPS.
9. Login to WAM UI using ‘SiteMinder’ super user and edit the policy domain “DOMAIN-SPSADMINUI-wa_sps”.
10. Link the SiteMinder User Directory Object to Policy Domain.
11. Submit the changes. 
12. Login to WAM UI using ‘SiteMinder’ super user and edit the policy domain “DOMAIN-SPSADMINUI-wa_sps”.
13. Edit the Policy and add ‘all’.
14. Submit the changes.
15. Access URL http://FQDN:8442 and request should get proxied to www.ca.com
16. Access URL http://FQDN:8080/proxyui. We should get a login page.
17. Enter a User from SiteMinder User Directory Object we created on WAM UI.
18. E.g. HAAAAA / firewall.
19. User is logged in because SiteMinder User Directory Object is linked to “DOMAIN-SPSADMINUI-wa_sps” and policy has allow all user.

NOTE : If RiskMinder service is not configured along with Policy Server. Then disable the Session Assurance App on SPS.

Regards

Hubert

Hubert, would this work if not using a default SPS instance but one with a different name?

Yes it would. I built 2 SPS instances on the same RHEL6 machine (machine-2 from above post). Hence SPS1 was default and SPS2 was a new instance.

Here are the steps for the SPS2 instance (See the Policy Domain name change and the install path name change). Those are with instance name.

CREATE OBJECT

Login to WAM UI using ‘SiteMinder’ super user and create the following objects.

1. A SiteMinder User Directory Object.
2. WebAgent Object and ACO for SPS2.
   1. wa_sps2
   2. wac_sps2 (add wa_sps2 in DefaultAgentName).

INSTALL AND CONFIGURE R12.52 SP1 CR02 766 BUILD SPS2 ON MACHINE-2.

1. Installed SPS on path /smuser_home/programfiles/CA-secure-proxy-server-2/secure-proxy/sps2/proxy-engine
2. I used ‘smuser’ as the Tomcat user instead of default ‘nobody’.
3. Used the following ports
4. Apache http 9442, Apache https 9443, Tomcat 7070, SSL 643, APJ ports 7005 and 7009.
5. Used wac_sps2 and wa_sps2
6. After SPS2 was installed and configured successfully, start the SPS2.
7. Login to WAM UI using ‘SiteMinder’ super user and edit the policy domain “DOMAIN-SPSADMINUI-wa_sps2”.
8. Link the SiteMinder User Directory Object to Policy Domain.
9. Submit the changes.
10. Login to WAM UI using ‘SiteMinder’ super user and edit the policy domain “DOMAIN-SPSADMINUI-wa_sps2”.
11. Edit the Policy and add ‘all’.
12. Submit the changes.
13. Access URL http://FQDN:9442 and request should get proxied to www.ca.com
14. Access URL http://FQDN:7070/proxyui. We should get a login page.
15. Enter a User from SiteMinder User Directory Object we created on WAM UI.
16. E.g. HAAAAA / firewall.
17. User is logged in because SiteMinder User Directory Object is linked to “DOMAIN-SPSADMINUI-wa_sps2” and policy has allow all user.

If we see the steps I followed for installing SPS2 instance on the same machine, it is not that different from SPS1. We just need to be careful on the object created, used and ports.

Again, If RiskMinder service is not configured along with Policy Server. Then disable the Session Assurance App on SPS.

Regards

Hubert

I have tried this, but whenever I log into the /proxyui I get a 500 error....

I would suggest open a support ticket. This thread has become quite long and we could suggest stuff. However after a point engaging CA Support and have someone look at your setup would be a wiser ask.

zestep As a final question may I ask; what version of PS/OS and what version of SPS/OS is being used?

Regards

Hubert

Both are running RHEL 6.6 sever with CA SSO 12.52 SP1.

Yeah, it became too long, sorry I will open a support ticket and when it is fixed I'll post it here. Thanks to everybody

Kind regards,

Andrés-J. Cremades

Did you check the defaultagentname in the ACO like I mentioned?

Hi boatguypat,

You're right. I didn't notice about that.

• I began installation from the scratch again, carefully. I checked every name, etc. Checking that everything was right in both sides, SSO and SPS.
• As I setup  CA SSO without configuring initially a Policy Server (I did it after with a CA Directory) I didn't remember whether I entered or not a Master Key, so I do it again through the Policy Server Configuration Wizard.
• After that I modify server.conf file disabling arcot settings.

<Contexts>

        <Context name="Credential Handling Service">

            docBase="chs"

            path="chs"

            enable="yes"

        </Context>

        <Context name="Authentication/Authorization web services">

            docBase="CA_AuthAZ"

            path="authazws"

            enable="yes"

        </Context>

        <Context name="AALoginService">

            docBase="aaloginservice"

            path="aaloginservice"

            enable="no"

       </Context>

       <Context name="Advanced Auth Application">

            docBase="authapp"

            path="authapp"

            enable="no"

       </Context>

       <Context name="UI Application">

            docBase="uiapp"

            path="uiapp"

            enable="no"

       </Context>

</Contexts>

And now finally when I launch Proxy UI the browser shows me the login page Now I just have to solve the login problem But this doesn't belong to this discussion. I'll check what Karmeng mentioned. Thanks to everybody (especially Karmeng, Ujwol, wonsa03, boatguypat, andHubertDennis), you were really nice and helpful to me.

Kind regards.

Andrés, Is it resolved?If yes,  Could you share what resolved the issue?