Symantec Access Management

Hi All,

We have setup APS in our environment. Change password and Admin is working properly while when we are accessing Forgot password services, it's always redirecting us to NOT FOUND URL page. We have enabled trace but still it's not writing what type of query it's searching for in AD.

In PS trace logs, we are getting "Search returned 0 entries." while users are present in AD.

Please guide.

Regards, 

Shrawan

Hi Miquel,

Thanks for you response

I have included LDAP element in profiler and set tracing in APS.cfg but it didnt work for me.

I have also tried by enabling trace in SmPortal.cfg file and i have read somewhere that if you enable trace or debug in Webserver, service trace logs will be written in webserver trace file.

I have enabled trace in SmPortal.cfg and also tried with debug mode, but it's not writing anything extra apart from normal trace. 

Regards,

Shrawan

Hello,

Please let us know how did you configured the "forgot password services" feature in your environment. Not sure that PS and APS would provide this functionality out of the box. Did you check the following ?

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/advanced-password-services-configuration/forgotten-password-fps-interface-forgot

Regards,

Julien.

Hi Julien,

Thanks for your response

We have configured FPS as mentioned in the docops link provided by you. We have done all the necessary changes in APS.cfg and SmPortal.cfg.

Regards,

Shrawan

You can turn ON tracing for FPS by setting following in the SmPortal.cfg file :

<Name of FPS service as specified in Smportal.cfg file>.Trace

More here :

Configure SmPortal and SmTransact - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Optional Service Settings

<service>.Trace
This setting turns on trace logging for the service. The back-end service library will be notified that tracing is requested. The actual tracing performed is up to the service itself and will vary. All tracing is written to the CA Single Sign-on console log.

Trace and debug logging may also be turned on within the code. If so, these settings will have no effect.

You should also enable Audit Log for FPS in APS.cfg file :

General FPS Settings - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Audit Log

Value: File Path

Default: off

Recommended: yes

Complexity Level: Basic

FPS can log all attempts, successful or failed, to an audit log. This log is written to a flat file in comma-delimited format (suitable for import into many database and spreadsheet applications).

To specify the location of this log file, use this setting.

There is no way to control the format or content of this log, nor is there provision for wrapping or deleting the file. If this setting does not appear in the configuration file, no audit log will be written. Please be sure that the user under which the CA Single Sign-on Policy Server processes are running can create and write to this file.

This file is not terribly useful. A site should check its contents to determine if the information is worth keeping.

Audit Log=/usr/Netegrity/SiteMinder/Logs/FPS.log

Hi Ujwol,

We have also enabled Audit logs, but it's writing only those parameters there that we have configured in Lookup section in APS.cfg.

Regards,

Shrawan

Hi Ujwol,

Thanks for your esponse

We have configured these in SmPortal.cfg and also uncommented Trace setting in APS.cfg file. It's still not writing for the query its searching for in AD.

While executing FPS task(not observed in CPW or APSAdmin), its' writing following error:

 [ERROR] SmObjLdap failed to bind to LDAP server ***.***.***.***:Port as cn=abc,ou=xyz,cn=123 . LDAP error 91-Can't connect to the LDAP server.

[ERROR] Policy store failed operation 'Search' for object type 'AgentCommand' . LDAP Erro
r Doing AgentCommand_Search: 89: Bad parameter to an ldap routine.

Please guide.

Regards,

Shrawan

Can you share your SmPortal.cfg & APS.cfg? Those errors doesn't seem related.

Also enable all data and components in the Policy server trace profiler.

If you are using non ssl , you can also capture ldap command using Witeshark capture :

How to capture and filter LDAP transactions with Wireshark 

Hi Ujwol,

Sorry i can't share config files here .

Is it possible for you to share your email id,  i will mail them to you over there?

Regards,

Shrawan

HI Shrawan,

Understand We can't share our email address here either.

Best is to open a support case and provide the case # here, so I can have a look and assist as required.

Regards,

Ujwol

Hi Ujwol,

Case# 00504981 is opened regarding this post.

I have attached APS.cfg and SmPortal.cfg files in that case.

Please guide.

Regards,

Shrawan

You may want to open support issue it can be complicated

Turn on FPS logging

"27-Aug-2015","08:28:06",1,10,"?","Supplied Value: ~uid=A1"

"27-Aug-2015","08:28:06",1,10,"?","Supplied Value: ~givenName=John"

"27-Aug-2015","08:28:06",1,10,"?","Supplied Value: ~sn=A1"

"27-Aug-2015","08:28:06",1,10,"?","Too Many Users Found"

Policy server trace Logs will show the state change during the processing of FPS request

Review of the LDAP access logs with PS logs to see the search being used

[01/31/2014][14:22:57.699][14:22:57][13230][11][CServer.cpp:262][ServerTrace][[SM-APS-06007] Forgotten Password Services...][SmTransact(APSAPI): [SM-APS-06007] Forgotten Password Services...]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][New Macro "target" = "lodsun30a.ca.com:8787/jsp/identify.jsp"][APS-FPS: New Macro "target" = "lodsun30a.ca.com:8787/jsp/identify.jsp"]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp][APS-FPS: Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][State Check: Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp][APS-FPS: State Check: Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][URL Translation "http://lodsun30a.ca.com:8787/jsp/Identify.jsp" -> "//lodsun30a.ca.com:8787/jsp/Identify.jsp"][APS-FPS: URL Translation "http://lodsun30a.ca.com:8787/jsp/Identify.jsp" -> "//lodsun30a.ca.com:8787/jsp/Identify.jsp"]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Determined state to be 10.][APS-FPS: Determined state to be 10.]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][State Change: Phase 10 -> 12][APS-FPS: State Change: Phase 10 -> 12]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][State Change: Phase 12 -> 10][APS-FPS: State Change: Phase 12 -> 10]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Redirecting to "http://lodsun30a.ca.com:8787/jsp/Identify-Multiple.jsp"][APS-FPS: Redirecting to "http://lodsun30a.ca.com:8787/jsp/Identify-Multiple.jsp"]

[01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Phase 10 - No search criteria entered!][APS-FPS: Phase 10 - No search criteria entered!]

[01/31/2014][14:22:57.702][14:22:57][13230][11][CServer.cpp:262][ServerTrace][[SM-APS-06011] FPS Returning 455 bytes of HTML][SmTransact(APSAPI): [SM-APS-06011] FPS Returning 455 bytes of HTML]

APS.CONF will show what attrbutes need to be searched in my case I mapped UserID to uid attribute only one required

[FPS-Identify]

Required=UserID

Optional=FirstName;LastName;Phone;City;State;mail;phonenow;

Lookup=UserID=uid;Mail=mail;FirstName=~givenname;LastName=~sn;Phone=telephoneNumber,homePhone;City=~l;State=st

Hi Stephen,

Thanks for your response

We have had mapped UserID and Date of Joining of the user and we are getting these in FPS.log(Audit log of FPS) but we want to know the query combination it's making to search that user in AD.

Regards,

Shrawan.

Hi Shrawan,

I checked, there is no configuration available to print the actual LDAP query used from SiteMinder.

Your best bet is to capture network trace per my previous advice and filter LDAP txns.

Regards,

Ujwol Shrestha

Hi Shrawan,

While this may not help with your current query, this tech tip which I just created might help you in configuring FPS in general :

Tech Tip : CA Single Sign-On :Policy Server::How to configure APS Forgot Password (FPS) Interface 

Regards,

Ujwol

Hi Shrawan,

I captured the LDAP request from my lab setup and here is what I got :

Filter: (&(&(givenname~=Kelly)(sn~=Wong))(objectclass=inetOrgPerson))

Where , givenname and sn were the required fields in my setup.

So for your use case, I would expect similar query to be triggered.

Wireshark is best to find out the query.

Just update the case when you are available and we can have remote session to find this out.