Symantec Access Management

I am working on upgrading from CA Siteminder R 12.52 SP 1 CR 05 to CA SSO 12.8. In the process, I exported policystore objects and keys from current live environment (CA Siteminder R 12.52 SP 1 CR 05) using XPSExport -xb policystore_r1252.xml -npass.

By mistake, I did an XPSImport on the live environment instead of duplicate policy store. After importing, I was able to login to Admin UI but lost Super User permissions to admin UI with error message "Unable to establish administration context".

I tried to re-register the Super User following the link https://comm.support.ca.com/kb/steps-to-reregister-admin-ui/kb000009742 (followed every step in sequence) but now I am not able to register the user against policy server.

Below are the errors from log snippet.

Smps.log:

[2658/-260588688][Fri May 17 2019 16:06:44][XPSSecurity.cpp:718][ValidateAdmin][ERROR][sm-xpsxps-04390] Unable to establish administration context.

[2658/4097317744][Fri May 17 2019 16:06:44][CServer.cpp:1922][ERROR][sm-Server-01060] Handshake error: Unknown client name 'carc-vsmps01__0' in hello message

[2658/4097317744][Fri May 17 2019 16:06:44][CServer.cpp:2016][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3160

[2658/4097317744][Fri May 17 2019 16:06:44][CServer.cpp:2037][ERROR][sm-Tunnel-00100] Handshake error: Bad hostname in hello message

[2658/4097317744][Fri May 17 2019 16:06:44][CServer.cpp:2188][ERROR][sm-Server-01070] Failed handshake with ::ffff:128.11.138.201:40026

Second attempt onwards, I get this error.

[2658/-323527824][Fri May 17 2019 16:19:44][XPSRegService.cpp:544][Error][ERROR][sm-xpsxps-07270] No registration on file.

[2658/-281568400][Fri May 17 2019 16:19:44][XPSSecurity.cpp:718][ValidateAdmin][ERROR][sm-xpsxps-04390] Unable to establish administration context.

Admin UI Log:

16:05:51,210 INFO  [ServerImpl] JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)] Started in 1m:10s:671ms

16:08:09,594 ERROR [BootstrapRegistrationCommand] Registration for 'siteminder' failed

16:08:09,595 ERROR [Bootstrap] Failed to establish trust with the Policy Server, use 'XPSExplorer' on the Policy Server to clean up CA.SM::TrustedHost and CA.SM::Admin objects

16:08:12,955 ERROR [BootstrapRegistrationCommand] Registration for 'siteminder' failed

16:08:12,955 ERROR [Bootstrap] Failed to establish trust with the Policy Server, use 'XPSExplorer' on the Policy Server to clean up CA.SM::TrustedHost and CA.SM::Admin objects

I would like to know what can be done to restore the live system back. 

We are running the policystore on CA LDAP (CA Directory R12 SP18) and I have a full backup of the LDAP data taken prior to XPSImport. Will restoring the policystore LDAP with the backup LDIF file bring back the system to original state?

Thanks,

Krishna

I was able to resolve the issue. Just for the benefit of others who have/might face similar scenario, I performed below steps to correct this issue.

Fix 1:

1. Stopped Admin UI

2. Created a new DSA (CA directory) with all config settings same as the current policystore and loaded this DSA with the policystore LDIF export I had taken earlier.

3. stopped policy server

4. Took a backup of $SITEMINDER_HOME/registry/sm.registry file

5. Changed policy server to point to this new DSA that I created.

5. Started the policy server and verified smps.log for errors. Luckily no errors recorded, which indicates my policy store is not corrupt.

 6. I registered the super admin user for admin UI using XPSRegClient command. (Not very sure if this step is needed because the first login on Admin UI didnt prompt me to register - perhaps the policystore already had information about the earlier registration).

 7. Started Admin UI.

 8. Everything came back up without any issues. 

With this, I got a clean working environment back again. Now I want to fix the actual policy store that was tampered - which I am writing in Fix 2.

Fix 2:

1. Stopped Admin UI

2. took another export of the policy store (using XPSExport - XPSExport -xb policystore_05182019.xml -npass ) to get the present state.

3. Compared the policystore backup I had taken earlier against this new export - most of the lines matched and a few were overwritten - but the size of both matched.

4. I registered the super admin user for admin UI using XPSRegClient command - No error in the XPSRegClient Log.

5. Started Admin UI, verified logs and it was clean start.

6. Went to http://<host>:8080/iam/siteminder/adminui

7. Logged in with the registered user and this time, it got registered without issues and I was able to login.

Additionally, I created another super user through the admin UI so that I get a backup user in case if something is tampered with this user permissions.

I would still like to get recommendations over backing up the policystore DSA completely everyday and restoring when needed to recover the environment. Is this a feasible and supported solution?

Thanks,

Krishna

Thank you for sharing how you fixed your own issue. I'm sure it will be helpful to someone in need.