Symantec Access Management

Expand all | Collapse all

XPSIMport fails during patching

  • 1.  XPSIMport fails during patching

    Posted Aug 11, 2016 06:36 PM

    Hi I am patching my policy server from R1252CR1 to R1252Cr5 to get SessionDNA feature to work.

     

    First step is to patch the policy server which was successful. I was able to login through CR1 adminui and apps were working fine with CR1 policy store. However I was asked to upgrade the policy store as well to get sessionDNA. So, I have created another AD LDS instance on Windows 2008Sp2 for a new policy store and ran the Policy Server config to initialize the policy store. Went well. With XPSExlorer I cd see the default objects such as Default AAS Trustedhost and:

     

      1-CA.SM::Policy@04-cd5ddc55-3390-4dbe-ad05-880a7a2eb918

                  (I) Name  : "SAML2FWSAttributeServicePolicy"

      7-CA.SM::Policy@04-70d60545-5316-49c3-ac96-ae5c75b7efe8

                  (I) Name  : "FederationWSSessionServicePolicy"

     

     

    Defautl User Directories

      1-CA.SM::UserDirectory@0e-3b0f4ccf-71f3-4968-b095-2b5a830c3244

                  (I) Name  : "SAML2FederationCustomUserStore"

                  (C) Desc  : "list of all the service providers"

      4-CA.SM::UserDirectory@0e-08c6cadb-e30b-4e06-9e2e-b3d7a866fab8

                  (I) Name  : "FederationWSCustomUserStore"

                  (C) Desc  : "list of all the affiliates exposed as an

                              user store"

                (C) Server  : "smdspropc"

             (C) Namespace  : "Custom:"

     

    However , I have trouble importing my old policy data into the new policy store. I have exported the data using:

    XPSExport -xb devpol.xml. I would have modifies Policy store details after successful import. However my import fails with out informative error.

     

    validateOnly command was successful:

     

    [smuser@ bin]$ XPSImport devpol.xml -validateOnly

    [XPSImport - XPS Version 12.52.0105.2113]

    Log output: /opt/netegrity/siteminder/log/XPSImport.2016-08-11_170624.log

    Initializing XPS, please wait...

    (ERROR) : [sm-xpsxps-06810] Failed to initialize event handler library "/opt/netegrity/siteminder/lib/libEventIntroscopeprovider.so"

    Please enter the passphrase to use for decrypting sensitive information:

    Log Time Phase/Section                #Objects       %age        Elapsed   

    -------- ------------------------ --------------- -----------  -----------------

    17:06:30 Initializing                                                          

    17:06:30 Reading                                               00:00:00         

    17:06:33 Reading                                               00:00:03  00:00:03

    17:06:33 Analyzing                      0/4099                 00:00:03         

    17:06:33 Analyzing/Reference          157/4099        3%       00:00:03  00:00:00

    17:06:36 Analyzing/Policy Data        410/4099       10%       00:00:06  00:00:03

    17:06:37 Analyzing/Policy Data        820/4099       20%       00:00:07  00:00:04

    17:06:38 Analyzing/Policy Data       1230/4099       30%       00:00:08  00:00:05

    17:06:39 Analyzing/Policy Data       1640/4099       40%       00:00:09  00:00:06

    17:06:40 Analyzing/Policy Data       2050/4099       50%       00:00:10  00:00:07

    17:06:41 Analyzing/Policy Data       2460/4099       60%       00:00:11  00:00:08

    17:06:42 Analyzing/Policy Data       2870/4099       70%       00:00:12  00:00:09

    17:06:43 Analyzing/Policy Data       3280/4099       80%       00:00:13  00:00:10

    17:06:44 Analyzing/Policy Data       3690/4099       90%       00:00:14  00:00:11

    17:06:45 Analyzing/Policy Data       4096/4099       99%       00:00:15  00:00:12

    17:06:45 Analyzing/Security Data     4099/4099      100%       00:00:15  00:00:12

    17:06:46 Analyzing/Security Data                               00:00:16  00:00:13

    17:06:48 Validating                                            00:00:18         

    17:06:48 Validating/Uniqueness                                 00:00:18  00:00:00

    17:06:49 Validating/Uniqueness                                 00:00:19  00:00:01

    17:06:49 Validating/Policy Data         0/3947                 00:00:19  00:00:01

    17:06:50 Validating/Policy Data       395/3947       10%       00:00:20  00:00:02

    *******: 1

    17:06:52 Validating/Policy Data       790/3947       20%       00:00:22  00:00:04

    17:06:53 Validating/Policy Data      1185/3947       30%       00:00:23  00:00:05

    17:06:55 Validating/Policy Data      1579/3947       40%       00:00:25  00:00:07

    17:06:56 Validating/Policy Data      1974/3947       50%       00:00:26  00:00:08

    17:06:57 Validating/Policy Data      2369/3947       60%       00:00:27  00:00:09

    *******: 1

    17:06:59 Validating/Policy Data      2763/3947       70%       00:00:29  00:00:11

    17:07:00 Validating/Policy Data      3158/3947       80%       00:00:30  00:00:12

    17:07:01 Validating/Policy Data      3553/3947       90%       00:00:31  00:00:13

    17:07:03 Validating/Policy Data      3947/3947      100%       00:00:33  00:00:15

    17:07:03 Validating/Policy Data      3947/3947      100%       00:00:33  00:00:15

    17:07:03 Complete                                              00:00:33         

    Total elapsed time:00:33

     

     

    XPSIMport log goes into infinite priniting of :

     

    [6291/-143472944][Thu Aug 11 2016 17:08:09][:0][doFilter][TRACE] Exit doFilter

    [6291/-143472944][Thu Aug 11 2016 17:08:09][XPSLineNum.cpp:210][doFilter][TRACE] Enter doFilter

    [6291/-143472944][Thu Aug 11 2016 17:08:09][:0][doFilter][TRACE] Exit doFilter

    [6291/-143472944][Thu Aug 11 2016 17:08:09][XPSLineNum.cpp:210][doFilter][TRACE] Enter doFilter

    [6291/-143472944][Thu Aug 11 2016 17:08:09][:0][doFilter][TRACE] Exit doFilter

    [6291/-143472944][Thu Aug 11 2016 17:08:09][XPSLineNum.cpp:210][doFilter][TRACE] Enter doFilter

    [6291/-143472944][Thu Aug 11 2016 17:08:09][:0][doFilter][TRACE] Exit doFilter

     

    There is nothing wrong with .xml file as I was able to import it using same version of Policy server and Policy store in my sand box. Any help or insight would be appreciated.



  • 2.  Re: XPSIMport fails during patching

    Posted Aug 11, 2016 07:46 PM

    Hi Anil,

     

    Can you try using -vT switch during import ? That should give more info as to what's going wrong.



  • 3.  Re: XPSIMport fails during patching

    Posted Aug 11, 2016 08:35 PM

    I did that and it constantly printed out 100s of mbs of enter exit statements. I tried to open a case but I cd not as there was an issue with the site. Have you ever seen such error?

     

    Sent from my iPhone



  • 4.  Re: XPSIMport fails during patching

    Posted Aug 12, 2016 12:26 AM

    Not really. But that doesn't look like an error though. Could just be the result of using -vT (Trace) option.



  • 5.  Re: XPSIMport fails during patching
    Best Answer

    Posted Aug 16, 2016 06:21 PM

    Hi Anil,

     

    The doFilter function basically process each line in XML file and populate map of XID to line number. Also, it performs check for missing class name. Hence, the messages are expected.

     

    I noticed that you have a logged a support ticket with CA Support and currently working with Nathan.

     

    It will be great if you can share the XPSImport log via the support ticker, after the XPSImport operation has completed.



  • 6.  Re: XPSIMport fails during patching

    Posted Aug 16, 2016 11:54 PM

    Sam SamWalker

     

    My thinking is the very first step is incorrect. We are taking a EXPORT using -xb option from PStore1 and importing the EXPORT file into a new PStore2. This is wrong.

     

    -xb is a full backup including configuration information of a Specific ENV. An export taken from -xb should not be imported into another ENV / PStore. It should be using only to restore the existing PStore.

     

    It seems like we have Auditting Configuration enabled via XPSConfig in ENV1 / PStore1. Whereas that is not setup in ENV2 / PStore2. Hence the error is being thrown.

     

    Have you tried without using -xb taking a export e.g. "XPSExport <filename.xml> -xp -xe -vT"



  • 7.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:15 AM

    Not really. Have done this so many times.

    It works !!!

     

    All you need to do is change the policy store details and the other environment specific details (e.g log file location etc ) from SmConsole once the import is successful.

    As Anil already said he was aware of it as well  - " I would have modifies Policy store details after successful import."



  • 8.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:31 AM

    Well I know it works after we manually tinkered the parameters in smconsole post import. My thought here was the library spewing the error. That looks like the Auditing library enabled via XPSConfig (earlier was supported via SmConsole).

     

    (ERROR) : [sm-xpsxps-06810] Failed to initialize event handler library "/opt/netegrity/siteminder/lib/libEventIntroscopeprovider.so"

     

    According me -xb not only encompasses the Policy Store information but also certain other configuration parameters beyond just the policy store.

     

    Hence my suggestion is to try to take an export without -xb.

     

    E.g. XPSExport <filename.xml> -xp -xe -xi -xs -vT

     

    Test this if it works, then we can assume we know what the culprit is i.e. -xb having additional configuration parameters.



  • 9.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:36 AM

    It's worth trying..



  • 10.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:41 AM

    OR Ujwol the other option I was thinking of suggesting was to identify in which ENV is that library added? e.g. is it in PStore1/PS ENV or PStore2/PS ENV. If we can remove that library from XPSConfig, if it was added. Then retry. Just a different thought.



  • 11.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:43 AM

    Based on my experience, this shouldn't BLOCK the import.

    Yes, it will definitely will be unable to load the dll as the target environment doesn't have it ..but that is when we try to startup policy server.



  • 12.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:51 AM

    Ujwol, Hubert:

     

    import completed after I let it  run for 1.45 hrs instead of typical 30 sec. Exporting -xb did not cause issues.

     

    Thank You very much for your inputs. Much appreiciated.



  • 13.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 12:53 AM

    Cool. That's what I expected

    Those messaged never looked any problem to me

    Please mark this thread as Answered.



  • 14.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 01:59 AM

    One last follow up: Appreciate any insight as usual.

    My IWA server had issues coming up after this switch. All the other webagents seem to work fine, although all of the rest of them are non-windows.

    Policy server show no logs about this event, shows no connections from this agent either.

    Event Viewer has no issues, shows successful initialization of Agent.However, after few mins the agent dies:

     

    agent:

     

    6200/6212][Wed Aug 17 2016 00:23:12][CSmAdminManager.cpp:250][INFO][sm-AgentFramework-00280] ADMIN: Administration Manager initialized.

    [6200/6212][Wed Aug 17 2016 00:23:12][CSmHighLevelAgent.cpp:192][INFO][sm-AgentFramework-00380] HLA: Initialization complete.

    [6200/6232][Wed Aug 17 2016 00:23:13][CSmLowLevelAgent.cpp:546][ERROR][sm-AgentFramework-00520] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.

    [6200/6232][Wed Aug 17 2016 00:23:13][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Low Level Agent'.

    [6200/6232][Wed Aug 17 2016 00:23:13][CSmHighLevelAgent.cpp:1010][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Session Manager'.

    [6200/6352][Wed Aug 17 2016 00:27:38][CSmHighLevelAgent.cpp:206][INFO][sm-AgentFramework-00390] HLA: Stopping.

    [6200/6352][Wed Aug 17 2016 00:27:38][SmPlugin.cpp:103][INFO][sm-AgentFramework-00180] Agent Framework plug-in 'SM_WAF_HTTP_PLUGIN' shutdown.

    [6200/6352][Wed Aug 17 2016 00:27:38][SmAgentAPI.cpp:1671][INFO][sm-AgentFunc-00040] Agent API has been released.

    [6376/6380][Wed Aug 17 2016 00:27:59][LLAWorkerProcess.cpp:1916][INFO][sm-AgentFramework-00690] LLAWP: Stopping.

    [6376/6380][Wed Aug 17 2016 00:27:59][SmAgentAPI.cpp:1671][INFO][sm-AgentFunc-00040] Agent API has been released.

    [6376/6412][Wed Aug 17 2016 00:27:59][LLAWPMsgBus.cpp:512][INFO][sm-AgentFramework-00670] LLAWP: Message bus stopped.

    [6376/6408][Wed Aug 17 2016 00:27:59][LLAWPLogQ.cpp:719][INFO][sm-AgentFramework-00640] LLAWP: Tracing stopped.

     

     

     

    [6376/6408][Wed Aug 17 2016 00:27:59][LLAWPLogQ.cpp:723][INFO][sm-AgentFramework-00600] LLAWP: Logging stopped.

     

    Trace.log:

     

    08/17/2016][00:23:13][6200][6232][CSmHighLevelAgent.cpp:1017][ProcessAdvancedAuthentication][000000000000000000000000750b980a-1838-57b3f4c1-1858-00350029][*10.154.102.223][][6e1vgRn4UbPwwYMj9cq3ddATGIKxQq3wtYIQYDFUXlB2EFQOiMeOEqj9S+tWBR7r][/wps/myportal/globalportal/][][ProtectionManager returned SmNoAction or SmFailure, end new request.]

    [08/17/2016][00:23:13][6200][6232][CSmLowLevelAgent.cpp:3079][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

    [08/17/2016][00:27:38][6200][6352][SmIIS70Module.cpp:543][CSmIIS70Module::Shutdown][][][][][][][IIS 7.0 Native Module shutting down.]

    [08/17/2016][00:27:38][6200][6352][CSmHighLevelAgent.cpp:204][Shutdown][][][][][][][High Level Agent shutting down.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Resource Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Session Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Response Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Session Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmProtectionManager.cpp:125][CSmProtectionManager::Shutdown][][][][][][][ProtectionManager shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Credential Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Challenge Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Response Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Session Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmAuthenticationManager.cpp:124][CSmAuthenticationManager::Shutdown][][][][][][][AuthenticationManager shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Response Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmManager.cpp:82][Variable Manager][][][][][][][Shutdown.]

    [08/17/2016][00:27:38][6200][6352][CSmAuthorizationManager.cpp:124][CSmAuthorizationManager::Shutdown][][][][][][][AuthorizationManager shutdown.]

    [08/17/2016][00:27:38][6376][6412][LLAWPMsgBus.cpp:221][ProcessMessage][][][][][][][Close message received from client '6200.6212']

    [08/17/2016][00:27:38][6200][6352][SmAgentAPI.cpp:1671][][][][][][][][LogMessage:INFO:[sm-AgentFunc-00040] Agent API has been released.]

    [08/17/2016][00:27:38][6200][6352][CSmAgentApiBase.cpp:612][CSmAgentApiBase::Shutdown][][][][][][][AgentApiBase Shutdown.]

    [08/17/2016][00:27:59][6376][6380][LLAWorkerProcess.cpp:1601][main][][][][][][][Stop signaled.]

    [08/17/2016][00:27:59][6376][6380][LLAWorkerProcess.cpp:1911][main][][][][][][][LLAWP Stopping.]

    [08/17/2016][00:27:59][6376][6380][LLAWorkerProcess.cpp:1916][][][][][][][][LogMessage:INFO:[sm-AgentFramework-00690] LLAWP: Stopping.]

    [08/17/2016][00:27:59][6376][6380][SmAgentAPI.cpp:1671][][][][][][][][LogMessage:INFO:[sm-AgentFunc-00040] Agent API has been released.]

    [08/17/2016][00:27:59][6376][6412][LLAWPMsgBus.cpp:504][MsgBusWorkerFunc][][][][][][][Stop signaled.]

    [08/17/2016][00:27:59][6376][6412][LLAWPMsgBus.cpp:510][MsgBusWorkerFunc][][][][][][][Message bus shutdown.]

    [08/17/2016][00:27:59][6376][6412][LLAWPMsgBus.cpp:512][][][][][][][][LogMessage:INFO:[sm-AgentFramework-00670] LLAWP: Message bus stopped.]

    [08/17/2016][00:27:59][6376][6408][LLAWPLogQ.cpp:715][LogWorkerFunc][][][][][][][Stop signaled.]

    [08/17/2016][00:27:59][6376][6408][LLAWPLogQ.cpp:717][LogWorkerFunc][][][][][][][Tracing shutdown.]

    [08/17/2016][00:27:59][6376][6408][LLAWPLogQ.cpp:719][][][][][][][][LogMessage:INFO:[sm-AgentFramework-00640] LLAWP: Tracing stopped.]

    [08/17/2016][00:27:59][6376][6408][LLAWPLogQ.cpp:723][][][][][][][][LogMessage:INFO:[sm-AgentFramework-00600] LLAWP: Logging stopped.]

     

    I had to roll back to my CR1 policy store as I cd not get the environment up in allocated 3 hr window. Will try again tomorrow, this time all I had to do is change the sm.registry file with CR5 settings. 



  • 15.  Re: XPSIMport fails during patching

    Posted Aug 17, 2016 02:03 AM

    Let's review this on a new thread Anil :

    IWA server startup issue