Symantec Access Management

 View Only
Expand all | Collapse all

Siteminder Policy Reader

Ludovic

LudovicApr 10, 2013 06:36 AM

Legacy User

Legacy UserMar 11, 2015 10:26 AM

D Klier

D KlierAug 21, 2018 01:12 PM

  • 1.  Siteminder Policy Reader

    Broadcom Employee
    Posted Feb 21, 2013 08:06 AM

    Latest version of SMPolicyReader, available at bottom of this post,  last updated build 466 on 29-April-2019.

     

    A lot has happened since Feb-2013 when this was first put into the communities.  Mostly it is bug fixes, but there have been some large feature additions and look & feel changes.  To help identify what has been added I will add links to articles that discuss any new features here :    Recent SMPolicyReader articles : 

     

    Tech Note : Storing SSO policy changes in Revision Control - viewing changes 

    Tech Note : Howto place SSO policy changes under revision control using git 

    May - 2017

    SMPolicyReader update - xcart - screen to check for xcart object references 

    May-2017

    Using SMPolicyReader to generate xcart selection. 
    Dec-2016

     

     


    Siteminder Policy Reader

    Attached is a java Siteminder Policy Reader tool, that has been developed internally by CA Support engineers for use within CA Siteminder Support. Given that CA Siteminder customers, face similar issues with viewing exported XPS & SMDIF policy stores, it was felt that this was a good candidate tool, even though it is at a fairly early stage of development, for release on the CA community website.

    Here is a quick list of features:

    • Ability to Read XPS export files
    • Ability to read SMDIF export files
    • Ability to read raw LDAP .ldif exports of policy store
    • Ability to connect directly to active policy store via LDAP and ODBC and read store
    • Similar in look to the older Siteminder Applet
    • View History and history navigation (prev and next toolbar, as well as history menu)
    • Find function
    • Ability to display objects in detached window (see screenshot below).
    • Tab that displays Object Properties
    • Tab that displays all References to an Object.
    • Screen that displays All Policy Store Objects; with filter, select and browse options - (see screenshot below)
    • Basic Policy Store Stats
    • Ability to find errors such as missing xpsParent, or xps Link when using direct read for ODBC or LDAP policy store 
    • Ability to compare two policy stores, and give visual display of differences.
    • Compare can be done via Xid or via Name.


    SMPolicyReader Demonstration Video
    The best way to see what it can do is to watch the video demonstration :
    http://youtu.be/71lEVt-GfZw
    (please excuse the presenter, he will re-record the sound sometime in the near futher, with less stuttering)

     

    Screenshots of SMPolicyReader in use:

    This is the main tree and selected object display. Note the "<" and ">" toolbar buttons for navigating your viewing history, the "find" tool bar buttons, and the three tabs for the object "Properties", which is what is displaying, "Stats" which displays some summary details for the object and "References" which displays all of the links to this object. Properties, Child tables and Reference tables are all navigatable by double clicking on the row/child object, and if it is a link it will navigate you to that object (you can then user the back button "<" to return).

    This is the browse All Objects screen. You can see all the Xid, Object Name and Class Name in the table, it can be filtered and sorted to pick up the items you want to view (for example you can enter Xid or part of Xid here, to find your object). You then have the choice of showing that object in the main policy browser tree, or showing it in a detached window.

    This is the Detached Object View, with references tab selected. You can have as many of these open as you like, double clicking on any of the references (or properties) will show the referece object/properties i the main policy tree window.

    The results of a compare operation. Added objects/properties are shown in dark blue, deleted are displayed in red strikethought, and changed objects are shown in bold black. Comparison can be done by Xid (default) or by Name, as set by the "Options" menu item.

     

    Summary
    This is an internally generated tool, done by CA Support engineers and subject to the limitations of the disclaimer applied to this discussion group for uploads.

     

    The SMPolicyReader is developed on a part time basis, so it is likely never to be complete, certainly there are bugs, limitations, and also many features we would like to add. But the tool has proved useful internally with CA Support, as it currently is and hope you find it useful as well.

     

    We certainly welcome feedback; and these forums provide the best place to discuss and ask questions about the PolicyReader, but I am also avaialble via my CA email address, odoma04 at ca dot com

     

    Cheers - Mark

     

    Attached new SMPolicyReader dist :  ALPHA-427 - (6-May-2017)

         Added XCart screen to view (and then add) external obj references.

         Added Env mode for storing/viewing policy under Git revision control.

     

    Attached new SMPolicyReader dist :  ALPHA-390 - (4-Apr-2017)

         Fixed bug in setting links (it was seeing them as strings) in ldif import. 

         There is bunch of stuff for using policy store in revision control - but not in use yet.

     

    Attached new SMPolicyReader dist :  ALPHA-361 - (14-Dec-2016)

         Added ability to build and edit xcart selection for use in xpsexport. 

     

    Attached new SMPolicyReader dist :  ALPHA-355 - (12-Oct-2016)

          *note* this one fixes a bug in the compare with ldif read - but I am a bit worried the scope of the change was big, so 

          354 may be better one to use - if you find a problem.

     

    Attached new SMPolicyReader dist :  ALPHA-354 - (11-Oct-2016)

    (lots of other updates as well ) ...  version 354- 360  from Oct-2016 - July-2017. 

     

     

    Update Alpha-462 - (19-July-2017)

     Last few versions have had the code for git commit and review revisions of policy store, as per the links at the top of the screen.

    Last few versions have had the ability to do a load and export of xcart object lists.  It can follow references as well, to easily add them - still one flaw here, since would be nice to recognise system object,s and when it needs to import whole object not just subcomponent /oid that it references into.

    Fix display of attributes when loading policy store from: raw  .ldif; direct read from ODBC; direct read from  LDAP; and read from the .dumpLDAP and .dumpODBC files.  Various improvements to mapping of the raw parameters to xps export type names. 

    Add extra tabs for:  Config and Federation - so now from xpsexport it will show the parameter values and split all the Fed objects into its own tab.   

    Spent some time mapping fed objects to child objects for better display. 

     

    Update Alpha-466 (29-April-2019) 

    When reading from .ldif files (with tombstoned recorded) it report when it finds a tombstoned parent with active children (issue from support case that arose and was difficult to detect).



  • 2.  RE: Siteminder Policy Reader

    Posted Feb 21, 2013 11:33 PM
    nice video.

    do you know if the tool has the ability to find orphan object(s) such as this

    Object #1396 has parent #1406, which does not exist

    Tony.


  • 3.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Feb 22, 2013 12:59 AM
    Hi Tony

    tlefam wrote:

    nice video.
    Thanks very much.

    tlefam wrote:

    do you know if the tool has the ability to find orphan object(s) such as this

    Object #1396 has parent #1406, which does not exist
    That error occurs with XPSInport and XPSExport, where the program finds an inconsistency within the policy store db (either LDAP or ODBC), So the problem is found when reading the database to create an XPS export, or when merging/loading objects into the database when loading from an export file) . Unfortunately it is not an error that will occur within the XPS export xml file by itself.

    For XPS export files :
    The structure of the XPS xml export file, is different to the database structure, In the XPS xml file child objects are actually embedded in their parent object, so the xml file will never have the problem, in the database the parent is stored in a field value, where obviously there is a data consistency problem .

    But I agree it is a real problem, Engineering are modifying the XPSInput to have a "-validate" option to assist in resolving these sorts of errors.

    The SMPolicyReader is limited to reading the XPS exported xml files , to find this issue it would have to directly read the LDAP or ODBC data store - although long term I would like to do this - to be able to give a diff report from of an XPS backup to the live data - but there are no current plans for it.


    For SMDIF export files :
    This error is detectable in SMDIF files ,since the (exported smdif) structure contains the parent, with an attribute that contains a list of its children. So all lost children are easy to calculate, the test is coded inside the SMPolicyReader, but not currently enabled (when I merged the XPS stuff, it had some crossover issues, so it was disabled). The issues are simple, just require some time to resolve, so for SMDIF files, orphaned objects will appear in a future version. Detected orphans will appear as children of another Error object at the root level, and will also appear, along with the reference errors, on the summary report.

    Cheers - Mark


  • 4.  RE: Siteminder Policy Reader

    Posted Feb 22, 2013 09:59 PM
    Wow! it's very useful for me!

    There is no problem except that the multi byte character set (Japanese characters) of Desc field is garbled.
    but it's not a big problem.

    Thank you Mark !

    Tamu.


  • 5.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Feb 24, 2013 12:04 AM
    Hi Tamu

    ttamu wrote:

    Wow! it's very useful for me!
    Thank you very much.

    ttamu wrote:


    There is no problem except that the multi byte character set (Japanese characters) of Desc field is garbled.
    but it's not a big problem.
    If you are able to send me an email with an export in it, (to odoma04@ca.com) then I will have a look and see what I can do, somethimes these can be fairly simple to resolve.

    Cheers - Mark


  • 6.  RE: Siteminder Policy Reader

     
    Posted Feb 26, 2013 12:20 PM
    This is great! Thanks for posting this Mark! :grin:


  • 7.  RE: Siteminder Policy Reader

    Posted Apr 10, 2013 06:36 AM
    Hi,

    Thank you very much.

    Regards.

    Ludo.


  • 8.  RE: Siteminder Policy Reader

    Posted Jun 05, 2013 10:10 PM
    Mark,

    I joined this community just to say Thank You!
    This is awesome tool.
    We have been looking for a long time for something like this to document the SM configuration for the Build Book.


  • 9.  RE: Siteminder Policy Reader

    Posted Jun 13, 2013 03:16 PM
    Thank you, Mark! :)

    Quick question : I see the 'edit property value' option for the elements in the property window. But it does not seem to be usable. Is this perhaps a future provision?


  • 10.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Jun 20, 2013 05:03 AM
    Hi Peter

    petercyril wrote:


    Quick question : I see the 'edit property value' option for the elements in the property window. But it does not seem to be usable.
    There are a few items I experimented with, or are incomplete, I think I left that one to remind me to put in a view, to be able to show properties better, when they are multivalued or need decoding.

    petercyril wrote:

    Is this perhaps a future provision?
    It would be a nice idea, but there are no current plans - I still need to live up the cmd line promise for the SMPolicyTraceTool, upgrading that is likely to be my next spare-time project.

    Cheers - Mark


  • 11.  RE: Siteminder Policy Reader

    Posted Jan 09, 2014 02:59 PM

    Hey Mark.

    Great tool.  I have been an SM  admin for many years, and have used an older tool that was open source back in the day called Safe 2.0.  This policy reader is much more usable and better designed.  Thanks for publishing it.

    My question or problem is that I have allways struggled to define and produce anything that states an all encomposing list of related objects for a domain.  I'm in the middle of migration from V6.3 to SM12.5.  It would be extremely usefull to have a way to pick a domain in this tool and generate a list of all the related objects, including sytem objects.  IE agents, directories.

    What I think would be cool is to have a report that says if you want to move this domain... here are all the things it would require you move with it.

    Am I missing something about this tool?  Is it possible for it to do what I'm asking it to do.

    Any help would be appreciated...

    Thanks - David



  • 12.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Jan 20, 2014 10:59 PM

    Hi David.

    David wrote:

    Great tool.  I have been an SM  admin for many years, and have used an older tool that was open source back in the day called Safe 2.0.  This policy reader is much more usable and better designed.  Thanks for publishing it.

    Thanks, I did see Safe 2.0 although I had an internal (non XPS ) one that I was using at that time.

    David also wrote:

    My question or problem is that I have allways struggled to define and produce anything that states an all encomposing list of related objects for a domain.  I'm in the middle of migration from V6.3 to SM12.5.  It would be extremely usefull to have a way to pick a domain in this tool and generate a list of all the related objects, including sytem objects.  IE agents, directories.

    What I think would be cool is to have a report that says if you want to move this domain... here are all the things it would require you move with it.

    Am I missing something about this tool?  Is it possible for it to do what I'm asking it to do.

    No, it is not a function that is in there currently, I can see how that would be useful however, and it would not take a lot of work, since the reporting is already there to export a html report of different objects - I will put it on the to-do list - but it will take some time before I get round to looking at it unfortuantly. 

    Cheers - Mark

     



  • 13.  Re: Siteminder Policy Reader

    Posted Oct 20, 2014 11:38 AM

    By the way, tiny url http://tinyurl.com/SMPolicyReader http://tinyurl.com/SMPolicyReaderdoes not point to this page for me.



  • 14.  Re: Siteminder Policy Reader

    Posted Mar 02, 2015 03:40 PM

    Wish there was a Love button. This is a GREAT tool. Thank you! We have a large number of objects in our policy store and the WAM UI is so limited in terms of what it can display per page, etc. Tried to view some SP objects (Federation). Looks like it has trouble displaying data from all the tabs in an SP object (General, SSO, Attributes, etc)



  • 15.  Re: Siteminder Policy Reader

    Posted Mar 11, 2015 10:26 AM

    YAY!

     

    Someone revamped the reader for R12.5x!



  • 16.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 07:15 AM

    Hi All,

     

    Just tried SMPolicyReader-3_0-BETA-278_bin tool with the policy store whole export taken using XPSExport.

     

    When trying to open it fails with the below error message.

     

    java.lang.RuntimeException: Unable to load file backup03302015.xml

    at com.ca.psreader.xpsgui.PolicyReaderFrame.readPolicyStore(PolicyReaderFrame.java:460)

    at com.ca.psreader.xpsgui.PolicyReaderFrame.loadFile(PolicyReaderFrame.java:398)

    at com.ca.psreader.xpsgui.PolicyReaderFrame$4.run(PolicyReaderFrame.java:347)

    at java.awt.event.InvocationEvent.dispatch(Unknown Source)

    at java.awt.EventQueue.dispatchEventImpl(Unknown Source)

    at java.awt.EventQueue.access$500(Unknown Source)

    at java.awt.EventQueue$3.run(Unknown Source)

    at java.awt.EventQueue$3.run(Unknown Source)

    at java.security.AccessController.doPrivileged(Native Method)

    at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)

    at java.awt.EventQueue.dispatchEvent(Unknown Source)

    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)

    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)

    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)

    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

    at java.awt.EventDispatchThread.run(Unknown Source)

    Caused by: org.xmlpull.v1.XmlPullParserException: in comment after two dashes (--) next character must be > not n (position: END_TAG seen ...- Xid="CA.SM::AgentInstance@PS-00000000000000000000000092019487--n... @313457:87)

    at org.xmlpull.mxp1.MXParser.parseComment(MXParser.java:2337)

    at org.xmlpull.mxp1.MXParser.nextImpl(MXParser.java:1177)

    at org.xmlpull.mxp1.MXParser.next(MXParser.java:1093)

    at com.ca.psreader.xpsreader.XPSXMLStreamReader.processDocument(XPSXMLStreamReader.java:155)

    at com.ca.psreader.xpsreader.XPSXMLStreamReader.readXMLInput(XPSXMLStreamReader.java:126)

    at com.ca.psreader.xpsreader.XPSXMLStreamReader.readInput(XPSXMLStreamReader.java:114)

    at com.ca.psreader.xpsgui.PolicyReaderFrame.readPolicyStore(PolicyReaderFrame.java:455)

     

    The whole export has one XID value as CA.SM::AgentInstance@PS-00000000000000000000000092019487--ndcsrv196.vzbi.com-cVgMEamitU6+Yn23gvv+JIApNjHik96SXuV3tTJkogo= , since it has -- the tool expects --> and because of that it is failing.

     

    Do we have any latest SM Policy Reader , which we can test?

     

    Thanks,

    Sivamurugan



  • 17.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 10:15 AM

    Sivamurugan SivaMurugan

     

    When the Host Registration was performed was a '-' [hypen] used in the naming of Trusted Host? One way would be to reregister the and use a Trusted Host name without '-' (once everything is working with new Trusted Host, delete the one with '-' ).

     

    I have been through this and exactly the very same object (We live in a very small world) that is being highlighted here. I have worked very closely with this Policy Store before. I raised a defect for this very issue because the import of the Policy Store was failing with this same error on the very same object.  It was suggested that '-' is not supported in Trusted Host names. Therefore a Doc defect was raised to indicate non usuage of '-' in Trusted Host names.

     

    I cannot disclose more info here. However if you need additional info raise a Support Ticket with CA. CA Support should be able to dig this defect number.

     

    Regards

     

    Hubert



  • 18.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 11:05 AM

    Huber,

     

    Thanks for the reply. Indeed the trusted host has - . In fact we use - in all of our trusted host has - ( they take then format <PolicyName>-<WebserverFullyQualifiedDomainName> ).

     

    Will raise a case with CA and find out if '-' [ Hyphen ] is supported in trusted host and keep you updated.

     

    Thanks,

    Sivamurugan



  • 19.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 11:22 AM

    You are Welcome Siva SivaMurugan

     

    Incase Support is unable to find that defect, kindly ask CA Support to connect with me (They should be able to find me to obtain the defect number).

     

    I think in general if we use hypen in between characters then it may not be a problem. It is very specific to this object in the Policy Store as it is starting with hypen. So there is a difference in where exactly the hypen is placed.

     

    Meanwhile a snippet of the notes from the defect I raised.

     

    SNIP>

    The issue occurs during import because the XID of the AgentInstance has a '--' in the middle. This causes the parse to fail as the XID is part of a comment and '--' has a special meaning in XML comments. This occurs in only one object and this happened because the HCO name used to create this object started with a '-' as seen below:

     

    <Property Name="CA.SM::TrustedHost.Name"> <StringValue>-ndcsrv196.vzbi.com</StringValue>

    </Property>

     

    This may have happened by mistake when creating the HCO and since the HCO name is appended when creating the XID for AgentInstance it ended up with a '--' and hence the issue.

    For this, we should document that, Site Minder do not support "-" as a prefix to trusted host object.

    <SNIP



  • 20.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 11:34 AM

    Hubert,

     

    Trusted Host that starts with - ( Hyphen ) makes some sense. The document by CA says ( CA SiteMinder® Integrated Documents 12.52 ) that " Do not start the host configuration object name with a hyphen ("-") character.".

     

    In this case the issue is with the Trusted Hosts and not the Host Configuration Object ( HCO ).

     

    Thanks,

    Sivamurugan



  • 21.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 11:42 AM

    Siva SivaMurugan

     

    I would re-word that as any siteminder object nomenclature, do not start with hypen. Because if the XPSExport or XPS* tools when creating an XID for an Object Type adds a hypen; then in XML Terms '--' means something else.

     

     

    XID value as CA.SM::AgentInstance@PS-00000000000000000000000092019487--ndcsrv196.vzbi.com-cVgMEamitU6+Yn23gvv+JIApNjHik96SXuV3tTJkogo=

     

    • CA.SM::AgentInstance@PS-00000000000000000000000092019487-

    and

    • -cVgMEamitU6+Yn23gvv+JIApNjHik96SXuV3tTJkogo=

    This is added by XPS Layer.

     

    Your Object name is -ndcsrv196.vzbi.com

     

     

     

    The same is true for any Object type (e.g. Agent, ACO, HCO, DomainName, RealmName etc etc etc......)



  • 22.  Re: Siteminder Policy Reader

    Posted Mar 30, 2015 11:45 AM

    Hubert,

     

    Thanks for your time and update. Will note it down.

     

    Thanks,

    Sivamurugan



  • 23.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Mar 30, 2015 08:17 PM

    Hi Siva,

     

    For the reader it is just using a standard XML parser,  XStream

     

    It's possible it parses slightly differently to the ones used in SM libraries.

     

    I did find this :

          http://stackoverflow.com/questions/10842131/xml-comments-and

     

    Which implies -- is illegal within XML comments, but the section you have - was it the comments where it complained, or was it the content  ?

     

    Cheers - Mark

     

    PS: Siva, I dont have access to send you a private email, but mine should be avaialble to registered users, and is in the tool as well, under About, if you want to send me the xpsexport, I';ll have a quick look.
           The PolicyReader isnt offically supported as such, but still I am happy to fix bugs in it - time permitting.



  • 24.  Re: Siteminder Policy Reader

    Posted Mar 31, 2015 04:46 AM

    Mark,

     

    -- was in the content and not in the comments. As Hubert stated we will make sure - was not being used as starting characters in any of the objects which can result in this error.

     

    Thanks,

    Sivamurugan



  • 25.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Nov 22, 2015 03:52 AM

    Changes in 318

     

    2015-11-22 08:41 +0000 [r282-283]  mark.odonohue <odoma04@ca.com>:

     

      * Build Version 4.0-Alpha (Build: 318)

     

         * Committed Connect dialog bases screens

     

         * Added base64 and MS objectGUID decoding to get rid of some binary values appearing in

           the direct ldap read.

     

        * Handle null for class * handle "Class" when read as property from XPS, normally it would be "xpsClass"

          LDAP attribute, but we find a few did not have that and instead had a xpsProperty value that specified "Class"

          so also check and parse that as well.

     

    2015-11-22 08:34 +0000 [r281]  mark.odonohue <odoma04@ca.com>:

     

       * Updated build maps, when read xps & smobj objects, then we have two entries for distinguishedName and the like, so maps them

       to distinguishedName_SMObj.

        Still should map a few of the SMObj attributes (all of which get added as properties to our XPS  objects), and some of the

        internal SMOBJ attributes should be  mapped to XPS "attributes" not XPS "properties" but will be a bit of work so put on backburner.



  • 26.  Re: Siteminder Policy Reader

    Posted May 31, 2016 03:19 PM

    I am running the smpolicyreader version 4.0-alpha (build 318). The jre version on the machine is 1.6_20(32 bit). It loads any policy export. Only when I try to compare one store with another it gives error: "java.lang.OutOfMemoryError" "Java heap space"

     

    It tried to update the run.bat for smpolicyreader for Xmx1500m but that didnot helped. Any suggestion?



  • 27.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jun 01, 2016 09:07 PM

    Hi BBhushan, sorry, I meant to respond yesterday, but got caught up.

     

    I assume the OOM excepiton is thrown when you load the exported policy store from the xml file - or when doing a compare and you need to load 2x policy store (really 3x since it also stores the combined compare image).

     

    Usually it runs without complaints, 1.5gig is a fair amount of memory, but for some time now i have been using 64bit java, and I could see how for compare of large policy stores's it may need 64bit java.

     

    Are you able to run it on a 64bit java to see if that then workes with -Mmx2g or more memory assigned in the run.sh file ?

     

    Cheers - Mark

    PS: If you want to send me the policy store export you have (via the case you have opened) I can have a look and see if I can load it.   Also the stack trace for the OOM error you get may help as well.



  • 28.  Re: Siteminder Policy Reader

    Posted Jun 02, 2016 11:20 AM
      |   view attached

    Thanks Mark. I agree the 32 bit Java maynot be able to process all this. Problem here is the customer env is very restricted and have to live with their Java version.

     

    Best Regards,

    Badal Bhushan

     

    Email:badal.bhushan@coreblox.com<mailto:badal.bhushan@coreblox.com>

    Primary No: 5852856648

    Secondary No: 5854458082



  • 29.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jun 09, 2016 05:25 AM

    Hi Badal,

     

    I think I might have had some internal discussion with the client about this same issue, some time ago.   What you find with presumably large compare, not working on win32, and requiring 64bit JVM, seems a reasonable requirement.  

     

    I am sorry, but currently there isn't any plan to invest time in the compare to make it work better on win32 systems. 

     

    Alternatively you could try:

    a) You can move the xml files to a different machine from which they were extracted from to do the compare - 

     

    b) Or you could try with smaller exports, perhaps export only some domains to compare them, rather than the whole policy store.

     

    Cheers - Mark

    PS: I would be interested to know if the compare does work on 64bit env - it is still possible there is some bug.



  • 30.  Re: Siteminder Policy Reader

    Posted Jun 20, 2016 05:55 PM

    Is there any way to export an smdif for mat file to xps format (xml) with this tool or another?



  • 31.  Re: Siteminder Policy Reader

    Posted Jun 27, 2016 11:30 AM

    Hi Mark

     

    This is one heck of a tool.  I have been using V4.0 as well. What's the best way to report issues with the Alpha version?  I have couple of .smdif files that I need help with.



  • 32.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jun 28, 2016 07:08 AM

    Hi Pasha, thanks for the kind words, my problem when I use it is I only see things I didn't have time to fix.!

     

    The best way to report bugs would be to add them here, but if you have problems with reading specific exports, then it is probably best to send them privately to me, or via a support case.   The tool itself is not an official product, but having said that often the problems are obvious, a byproduct of it being developed in spare time, and fortunately they are usually fixable with a quick change.

     

    Cheers - Mark



  • 33.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jul 16, 2016 02:13 AM

    Hi added an update - the changes are quite a lot of bug fixes.

     

    1) Bug fixes to the UI (ability to copy, better handling of refresh)

    2) A LOT of fixes for reading and parsing policy stores directly from database and ldap

    3) Added ability to read ldif files (newish) - just vanilla ldif at this stage.

     

    Cheers - Mark



  • 34.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jul 17, 2016 01:03 AM

    Fixed done in this build, fixed since the last released build : 

     

    2016-07-17 04:55 +0000 [r336-337]  mark.odonohue <odoma04@ca.com>:

     

      * Build Version 4.0-Alpha (Build: 338)

     

       - Added runOracle.bat/runOracle.sh

     

       - when reading from Oracle RDB or from .smdumpRDB saved from Oracle

         database then we need the oracle .jar file in the path (adding it

         dynamically didnt work probably it can work dynamically adding,

         but did not work for me)

     

       - Changed policyStoreConnect.properties can add some of the print

         settings used to debug direct connect to polciy store issues

     

       - Read from LDIF file, this is similar to parsing direct from LDAP

         but also had a few twists in how the data is stored. Reader

         inherits from LDAP reader, so has much the same logic. Reads

         multi line ldap attributes, decodes from base64 where required

     

       - Fixed reader.close() problem was holding file open after read.

     

       - Addng tmp dir as default to user home directory on windows or

         /tmp on unix for where to save the dump files if specified.

     

       - Changed display so when select new target in tree it goes back to

         the properties tab, and also if select non-object tree element

         (such as tree group menu item) will clear the selection

     

       - Added xpsNumber to the ListAllObjects dialog, and allows sorting

         and filtering, xpsNumber obviously only visible when load from

         LDIF or LDAP or RDB, not visisble when load from xpsExport or

         smdif

     

       - Added Copy and Copy-Values right click menu items on the Item

         Detail Panel, can select multiple Attribites/Properties/Child

         Objects in the tables, and then copy either the name:value pairs

         or just values into clipboard.

     

       - Fix for save file selection for .smdumpLDAP .smdumpRDB it was a

         bit wonky about where it would save it should be fixed now (bit

                not tested too well, didnt have right env)

     

       - Changed all internal representations of xpsNumber to Long, to get

         arround problems with internal classes with high values, higher

         than can be represented by an int.

     

       - Changed default display for some objects, a lot of FED objectrs

         do not have Name field, and so it displays Oid value (more work

         needs to be done on organising the display of FED objects,

         partially done but could be better move some elements to children

         or FEDBase and FEDPartnership, would look better)

     

       - Added check and display of errors where SMObj's do not have

         associated Xps objects.

     

       - Added display (as warning) of xps objects that have tombstone

         entries these are marked for deletion by Siteminder, but not

         physically deleted as yet we display them as on a number of

                occasions we found deleted objects that should not have been

         and non-working policy stored were restored by removing the

         tombstone entry (undeletind it) Currently it does not show links

         (if any) from legit objects but those should have generated

         errors

     

       - just no direct pointer to the tombstoned entry here (maybe in

         latter fix)

     

       - Added detection of bad format xpsNumbers, Novel directory can on

         replication class rename db to dn=xpsNumberX_X where X's are

         numbers. Obviously this isnt directly parsable as a Long and

         these objects sit in the LDAP policy store.

     

       - Added check and display of error when there are two XPS entries

         (with different xpsNumbers) that point to the same SmObj

         (xpsGuid/Oid) value.

     

       - Fixed error parsing XPSDict object which has property called

         "Class" this was being treated as "special" since "Class" was

         used internally in the viewer. "Class" value is stored as a

         Strign, not a Link object however if not found in known list of

         dictionary/meta xpsNumbers then will be left as a Link and will

         generate an error (to show not found).

     

       - Fixed class with internal names ParseItem_XID and ParseItem_Xid

         clash on windows systems which does not distinguish file name on

         case used ParseItem_XID_UpperCase

     

       - Tightened up check for link to parent, if xpsParent differs from

         parent as set via Oid mapping for child item . found one bug where

         0f- UserPolicy objects where linking to both 03- and 04- items

         as parents fixed.

     

    Cheers - Mark



  • 35.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jul 18, 2016 08:58 AM

    Diff to 339 is better layout of objects for Federation objects.

     

    Cheers - Mark



  • 36.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Jul 31, 2016 08:49 PM

    Diff to 342 is better layout of IDM objects, when read directly from Policy Store & some bug fixes.

     

    Cheers - Mark



  • 37.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Aug 01, 2016 01:05 PM

    Thank you Mark for your continued work on this tool. It has proven itself to be invaluable to the latest project I am working on.

     

    -Adam



  • 38.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Aug 16, 2016 08:42 PM

    SMPolicyReader diff to 345 : some bug fixes, mainly to the IDM objects, and also better display of ACO attributes of form =2= (was handling =0= and =1= versions, but not =2= ones) - Cheers - Mark



  • 39.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Aug 22, 2016 10:52 PM

    SMPolicyReader diff to 446 :

    Handle reading extended ldif exports a bit better:

    eg, extended export has format for attributes of:
      cn;adcsn-48068ac10000000a0000;vucsn-48068ac10000000a0000: siteminder

      cn;vdcsn-48068ac10000000a0000;deleted:

     

    Currently we handle this very simply, and remove the replication version info when reading it, to give :
        cn: siteminder
        cn:

     

    There are also deleted attributes:

        xpsTombstone;adcsn-4826040002000a0002;vdcsn-482631040002000a0002;deletedattribute;deleted:

     

    I put it on the to-do list to find a good definition for these replication attributes, and then coding a better method of handling them.

    (if anyone knows the link then do add it, and I'll look latter)

    Cheers - Mark



  • 40.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Sep 23, 2016 06:06 AM

    SMPolicyReader diff 450 to 452 : 

         Change :

            a) To make print Differences not give NullPointerException if checkbox for print selected is checked, and nothig selected.

            b) Print Differences now prints Xid, Oid, and/or xpsNumber to make it work better with the ldif and other raw data reads. 

     

    Cheers - Mark



  • 41.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Oct 11, 2016 04:50 AM

    SMPolicyReader diff 354 on 11-Oct-2016

     

    The Reader was only good with complete xpsexports - backups and the like, and not so good with partial exports - such as exporting only a domain.  Due to recent support case this version fixes that. 

     

    Mostly this is done with fix to read XPS ReferenceObject.  <LinkValue> for ReferenceObject is done a little differently, normally <LinkValue> has child <XID> or <XREF> with the refererence.  But when in a ReferenceObject  <LinkValue> has the raw text of the link.  

     

    There is still one issue, the <LinkValue> in a ReferenceObject can point to another ReferenceObject, and if that 2nd referenceobject physically occurs after the reference to it, currently we dont detect it and put up an error - will have to  fix that down the track.

     

    Anyway now you can do an xpssexport of a domain, and compare it to another exported domain. 

     

    Cheers - Mark



  • 42.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Nov 10, 2016 11:55 PM

    Just a quick note if connecting to the Policy Store using the Oracle Databsae and the service name not the SID : 

    the JDBC connect URL format is : 

         jdbc:oracle:thin:scott/tiger@//myhost:1521/myservicename

     

    Using SID (which is what I have put in as default ) the URL format is in from at : 

         jdbc:oracle:thin:@<hostname>:1521:orcl

     

    Some links : 

     

     

     

    Cheers - Mark



  • 43.  Re: Siteminder Policy Reader

    Posted Oct 04, 2017 04:22 PM

    Hi odom04,

     

    I have tried policy reader to compare DEV and QA domain policies with the Name ID and XID, its failing to compare.

    What I did is I have change Dev-- domain, realm rule and responses name ID's same as QA. still I could not able to compare and print the difference. could you please provide me more details or any document how to compare. what  all changes do I need to do in both xml files before I compare.

     

    Thanks,



  • 44.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Oct 04, 2017 05:36 PM

    Hi Sreev, I can add some instructions a bit latter, but do you get an error or does it just not report any differences ?- usually it runs fairly simply - but there are occasional bugs.

     

    If you want to send the twm xml files either via case or direct mark.odonohue@ca.com then I can run them and send result back. 

     

    Cheers - Mark



  • 45.  Re: Siteminder Policy Reader

    Posted Oct 04, 2017 10:03 PM

    I am not seeing any errors. Displayed objects in dark blue, and  red strike,  I am not seeing any difference  on both files.

    I opened up a support case.  



  • 46.  Re: Siteminder Policy Reader

    Posted Apr 06, 2018 01:36 PM

    This tool is very helpful, thanks.

    I would love it if I could copy the values from either the stats or references tabs.

    I need to export everywhere a particular auth scheme is used and this would be a very easy way.

     

    Thanks



  • 47.  Re: Siteminder Policy Reader

    Broadcom Employee
    Posted Apr 08, 2018 09:17 PM

    The stats page is text, I think you can select and do ^C to copy 

     

    The tables like the references, also should have a copy in them too (I think I did most of them) - so either right click might give a menu - or highlight and a ^C would copy.

     

    I am not in a position to test that that at the moment (I am very sure of the stats, not as sure on the references) - but do get back on if that worked - if not I can add it to the todo list.

     

    Cheers - Mark



  • 48.  Re: Siteminder Policy Reader

    Posted Aug 21, 2018 01:12 PM

    Has this been updated to support 12.8?  



  • 49.  RE: Re: Siteminder Policy Reader

    Posted Jan 13, 2020 01:47 PM
    I have the same question.  Any timeline (even a vague one) if/when the Policy Reader will support r12.8?

    Thanks!


  • 50.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Jan 13, 2020 09:18 PM
    A great contribution (again) Mark :)