Symantec Access Management

In FSS ui, in old 12.0 store, there are bunch of administrators. These administrators don't show up in new 12.7 admin-ui. XPSImport should have taken care of it or since they are admins, they don't get created?

These admins got created using "external Directory" option in fss ui by giving user directory and authentication scheme values.

what is the equivalent way of doing this in admin ui? should I use "create legacy administrator" option. I used that option and created the administrator. I can find this user in the dir. once this user is created, I wanted to use this admin user to login to admin-ui. No luck doing so. I am using siteminder account so far to login admin-ui.

How should I create administrators in the admin ui so I can use them to login to admin ui instead of using siteminder account.

To create external admin for Admin UI follow this guide :

Configure an External Administrator Store - CA Single Sign-On - 12.7 - CA Technologies Documentation 

Hi Ujwol,

Is there anyway for administrators to login to WAM UI without creating external admin store (through administrators or legacy administrators)?

Do we know why this functionality got changed in adminui?

Under Directory-->UserDir tab I am able to view the directories and search the users there which will be logging in as administrator. Can these User directories be mapped in the new admin ui part where no new configuration required/modification in the existing configuration.

The reason I am trying to find out this is creating this external store will require us to change the underlying directory structure (for example creating and passing those required user attributes while configuring the connections, which is not handled by our team and it will impact our production environment as well).

Any thoughts and suggestions will be greatly appreciated on this.

Thanks.

You asked "Is there anyway for administrators to login to WAM UI without creating external admin store (through administrators or legacy administrators)?"

Ujwol => Yes, you can create legacy adminstrator account and login to Admin UI.

You said "Under Directory-->UserDir tab I am able to view the directories and search the users there which will be logging in as administrator. Can these User directories be mapped in the new admin ui part where no new configuration required/modification in the existing configuration."

Ujwol => For these users to be able to login as administrator , you need to configure that user directory as external admin store and select those users as administrator. 

You asked "The reason I am trying to find out this is creating this external store will require us to change the underlying directory structure (for example creating and passing those required user attributes while configuring the connections, which is not handled by our team and it will impact our production environment as well)."

Ujwol => I don't think you will need to change any directory structure .. which attribute are you talking about here.. 

you are right actually I didn't have to change any directory structure. The disableflag takes the unset value.

The legacy administrator screen is taken by using siteminder policy-store and not the external directory store I believe? If legacy administrators reside in the external LDAP directory server/user store and continue to want to use the admin-ui  then it is must to create external directory authentication?

For ex., my ID was administrator in the FSS ui, was coming from external directory. Now in order for my id to use admin-ui, I should create external admin store. Make myself as super user? Then add other IDs as administrator. In situations where I don't/shouldn't want to become super user for audit purposes then is it advisable to create service account sort of account because once external admin store is created then "siteminder" super user won't exist any more?

Thanks a lot for your help with this!

Correct. To be able to use user from external directory as Admin UI administrator you must create external admin store connection first.

Hi,

In order to create external administrator store, I followed the steps as listed in the link. It get stuck at below screen, it passes the directory connection screen though.

After this adminui hangs and time out message comes because of no activity. Nothing happens after clicking on logout button. It hangs if I try to login after closing the browser in IE address bar saying waiting for browser.

I wanted to find out how adminui should be debugged for these types of hang problems before deploying it in production environment.

Any help will be greatly appreciated.

Thanks.

Its probably because the search root you specified may have large number of users ?

Is it possible to make the search root more specific , for e.g instead of giving "dc=ca, dc=com", try something like "dc=admins,dc=users,dc=ca,dc=com"

Hi Ujwol,

Thanks for your reply. I changed the search. It went through to the final screen this time, which is better. but I haven't had much luck. I came to below screen and it got hung.

I started the adminui using standalone script. It has been sitting here for hours now, The logs below is from 3rd attempt of starting jboss.

12:31:02,145 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 44) JBAS010153: Node identifier property is set to the default value. Please make sure it is unique.

From server.log not much detail:

tail -f server.log
2018-01-25 12:31:07,597 INFO  [org.jboss.as.messaging] (ServerService Thread Pool -- 51) JBAS011601: Bound messaging object to jndi name java:jboss/exported/jms/RemoteConnectionFactory
2018-01-25 12:31:07,693 INFO  [org.jboss.as.connector.deployment] (MSC service thread 1-2) JBAS010406: Registered connection factory java:/JmsXA
2018-01-25 12:31:07,810 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-3) JBAS017519: Undertow HTTPS listener https listening on /0.0.0.0:8443
2018-01-25 12:31:07,843 INFO  [org.hornetq.ra] (MSC service thread 1-2) HornetQ resource adaptor started
2018-01-25 12:31:07,844 INFO  [org.jboss.as.connector.services.resourceadapters.ResourceAdapterActivatorService$ResourceAdapterActivator] (MSC service thread 1-2) IJ020002: Deployed: file://RaActivatorhornetq-ra
2018-01-25 12:31:07,846 INFO  [org.jboss.as.connector.deployment] (MSC service thread 1-2) JBAS010401: Bound JCA ConnectionFactory [java:/JmsXA]
2018-01-25 12:31:08,204 INFO  [org.jboss.ws.common.management] (MSC service thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server 4.3.2.Final
2018-01-25 12:31:08,309 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
2018-01-25 12:31:08,310 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015954: Admin console is not enabled
2018-01-25 12:31:08,310 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.2.0.Final "Tweek" started in 16172ms - Started 252 of 304 services (104 services are lazy, passive or on-demand)

What is the way of further debugging this issue?

First time it will be bit slow. Did you wait long enough? Probably about 2-3 minutes.

Can you attach server.log?

Hi Ujwol,

yes waited around 40 minutes are so.

Lets continue on this here : Admin ui hangs