Symantec Access Management

  • 1.  Error when Import the Default Policy Store Objects

    Posted Nov 07, 2016 05:58 PM

    Hi,

    I'm facing issues when importing the default policy store objects,

    The Policy server and policy store are new and i'm trying to configure Policy Server R12.5 CR04.The policy store data definitions were imported successfully, but when trying to run the command XPSImport smpolicy.xml -npass, it completes the import and then comes up with message.

    CA-SM:SMADPT011(ERROR) : Create failed. Object: 1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef. Reason: Object Not Unique.
    CA-XPS:XPSIO067(ERROR) : XPS Transaction COMMIT has failed on Create.
    17:37:52 Committing                                           00:00:23 00:00:21
    CA-XPS:UTIL0179(FATAL) : Import failed. Attempting a rollback (NOT supported for LDAP).
    CA-XPS:UTIL0179(FATAL) : Import failed.

     

    ========

    Envt details:

    Policy Server: SiteMinder R12.5 CR04 on SunOS 5.10

    Policy / Key Store: 2 saperate instances in AD-LDS on Windows 2008 R2

    ========

    I'm not sure if I'm missing any step.



  • 2.  Re: Error when Import the Default Policy Store Objects

    Posted Nov 07, 2016 06:16 PM

    Hi,

     

    From smpolicy.xml, Object: 1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef refer to following. It should be unique object unless ADLDS contains existing object prior to it. Is the issue reproducible on another instance or it just happen to one instance?

     

            <Object Class="CA.SM::RootConfig" Xid="CA.SM::RootConfig@1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef" CreatedDateTime="2011-03-09T12:16:09" ModifiedDateTime="2011-03-09T12:16:09" UpdatedBy="SMSTUB" UpdateMethod="Internal" ExportType="MergePreferOld">
                <Property Name="CA.SM::RootConfig.ADEnhanced">
                    <BooleanValue>false</BooleanValue>
                </Property>
                <Property Name="CA.SM::RootConfig.EnableUserTracking">
                    <BooleanValue>false</BooleanValue>
                </Property>
                <Property Name="CA.SM::RootConfig.KeyStoreVersion">
                    <NumberValue>7</NumberValue>
                </Property>
                <Property Name="CA.SM::RootConfig.MajorVersion">
                    <NumberValue>7</NumberValue>
                </Property>
                <Property Name="CA.SM::RootConfig.MinorVersion">
                    <NumberValue>0</NumberValue>
                </Property>
                <Property Name="CA.SM::RootConfig.Mode">
                    <NumberValue>0</NumberValue>
                </Property>
                <Property Name="CA.SM::RootConfig.NestedSecurity">
                    <BooleanValue>true</BooleanValue>
                </Property>
            </Object><!-- Xid="CA.SM::RootConfig@1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef" -->

     

    Regards,

    Kar Meng



  • 3.  Re: Error when Import the Default Policy Store Objects

    Posted Nov 07, 2016 06:21 PM

    That is OID corresponding to the RootConfig object.

    Are you able to start policy server ? does it show any error in the smps.log ?



  • 4.  Re: Error when Import the Default Policy Store Objects

    Posted Nov 08, 2016 03:50 PM

    Hello Ujwol, i'm getting the below error inteh SMPS log

     

    [21949/1][Mon Nov 07 2016 21:03:01][SmObjProvider.cpp:212][ERROR] Policy store failed operation 'Save'  for object type 'SharedSecretPolicy' . LDAP Error Doing LDAP SharedSecretPolicy_Save: 32: No such object
    [21949/1][Mon Nov 07 2016 21:03:01][SmObjProvider.cpp:212][ERROR] Policy store failed operation 'MultipleSearch'  for object type 'Root' . LDAP Error in Root_Fetch for KeyManagement: 32: No such object
    [21949/1][Mon Nov 07 2016 21:03:01][SmObjProvider.cpp:212][ERROR] Policy store failed operation 'MultipleSearch'  for object type 'Root' . LDAP Error in Root_Fetch for KeyManagement: 32: No such object
    [21949/1][Mon Nov 07 2016 21:03:01][SmObjProvider.cpp:212][ERROR] Policy store failed operation 'MultipleSearch'  for object type 'Root' . LDAP Error in Root_Fetch for KeyManagement: 32: No such object
    [21949/1][Mon Nov 07 2016 21:03:01][PolicyCache.cpp:1008][ERROR] Failed to load an object: 0a-00000000-0000-0000-0000-000000000000
    [21949/1][Mon Nov 07 2016 21:03:01][SmObjStore.cpp:410][ERROR] Secondary cache build failure.
    [21949/1][Mon Nov 07 2016 21:03:05][SmPolicyServer.cpp:698][ERROR] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed



  • 5.  Re: Error when Import the Default Policy Store Objects
    Best Answer

    Posted Nov 08, 2016 05:35 PM

    Ah , that looks bad.

     

    Can you try configuring the same LDAP instance as both policystore and key store first and see if that works.

    If that works, then we can later separate out the key store to a new instance using this guide :

    Configure Microsoft AD LDS as a Key Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Regards,

    Ujwol



  • 6.  Re: Error when Import the Default Policy Store Objects

    Posted Nov 17, 2016 08:40 AM

    Thanks Ujwol,

    This helped, and more over we got approval to continue using a single store for both Key and policy store, this did help.

    We also enabled the Agent key generation for the duration of the activity so it could be due to that as well.

     

    Thanks anyways.