Symantec Access Management

I'm in the process of configuring the session assurance for a protected resource. I believe I have the right pieces in place but session assurance is not working.

1- Installed the SPS R12.52 enable advanced auth

2- Installed CA SiteMinder R12.52 and enabled advanced auth

3- Created my Session Assurance endpoint on the Policy Server

4- Assigned the Session Assurance endpoint  to my protected Realm

So when I access the protected resource, I'm being directed to the 

/authapp/flows/i/session_assurance_flow.html but this resource doesn't seem to be available on the proxy.

Would anyone be able to tell me, where is this html resource located?

Hi,

This is just a servlet URL which is configured on the SPS side, there is no physical file available.

Have you enabled SSL on the SPS ? Have you provided SSL port while configuring the Session Assurance End Points in Admin UI ?

Anyone has anymore information on the Enhance Session Assurance? The documentation on this feature is extremely poor from a configuration perspective. I have everything configured according to the document and I'm getting an error in the authentication flow url, here is the error:

"An internal error has occured. Please close and re-open your browser. If the problem persists, please contact your helpdesk."

When I look at the logs I don't see anything alarming pointing to this issue, I'm seeing the user is authenticated and authorized.

Couple of things to check.

• Is there a Session Server Configured?
• Is the RM Services on Policy Server machine running?

Regards

Hubert

Yes I have the CA Directory configured as a session store and the CA RiskMinder Service does not appear to be running. When I try to start it as a windows service it automatically stops... could that be the issue?

Hi,

Once installed the Policy Server with the Policy Store, you have to configure it without any options, in order to enter the Master Key.

After that, start the Policy Server and the Session Assurance should be up.

Best Regards,

Patrick

I have the session assurance configured, but I'm noticing an issue that could be a limitation to the product.

I'm using the CA SPS R12.52 and the CA SiteMinder R12.52 on the same box.

It appears that both the R12.52 policy server and the R12.52 Secure Proxy server are using the ARCOT_HOME environment variable and since the path is different I get an error when starting the secure proxy server. The path for ARCOT_HOME is set for the policy server as:C:\Program Files (x86)\CA\aas

Therefore, when the secure proxy server tries to access the cawebflow_log4.xml I get the error below.

[ERROR] - java.io.FileNotFoundException: C:\Program Files (x86)\CA\aas\conf\cawebflow_log4j.xml (The system cannot find the file specified)

But if I change the ARCOT_HOME from the path above to C:\Program Files (x86)\CA\secure-proxy\arcot, the secure proxy starts fine but the RiskMinder service for the policy server throws an error.

Could it be that the R12.52 SPS with DeviceDNA and the Policy Server R12.52 with Advanced Authentication do not work on the same server? Can someone please provide some clarification on this?

Hi,

As per best practices, for security reason, you should not run the SPS (which protect access from external) on the same machine as the Policy Server (which process the SPS request).Remember that the SPS is a Standalone server, and per documentation it does not support any other Web Server on the same machine, and if you run the Policy Server, you might need

to configure the OneView Monitor with need a Web Server.

Best Regards,

Patrick

Patrick,

I absolutely agree with you, in terms of best practices the SPS should not be installed on the Secure Proxy Server, but from a testing perspective I don’t see why they should not be able to coexist. I’ve done plenty of installs with the SPS and the Policy Server on previous versions of the product. It looks like the RiskMinder component in R12.52 is causing the issue?

Can someone from CA, please let us know if it is not feasible?

I absolutely agree with Patrick on best practices. I would however still raise a defect for it because typically when a sales / pre-sales team want to demo certain functionality, they would normally host these services on a single machine. It does not represent a good feeling neither to person presenting OR to whom it is being presented, when two services cannot interwork appropiately in such a case.

In this case, CA is pushing for seperate server as both Policy Server and SPS connecting with same ODBC connection CAAdavancedAuthDSN

Yes, you need seperate servers. I ran to same issue during my lab setup. Session assurance needs CAAdvancedAuthDSN set to differnt value on Policy Server and SPS. Typically CA recommends to run these components on seperate servers which we override in lab environment. in this feature this is moved from recommedation to must have requirement. Also do not forgot to download Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files package on Secure Proxy Server.

Vineet,

I don't think we are talking about the same issue, there is no dependency on having the SPS connecting to an ODBC database for Enhanced Session Assurance to work. The issue that I'm having is with the ARCOT_HOME variable, which is used by both SPS and the Policy Server.

I see A LOT of confusion about this configuration, Is anyone from CA support on this thread able to provide the detail steps required to get this working. The bookshelf documentation is very minimal.

I have got it working by deploying it on seperate servers . This is needed due to following conflicts of ARCOT_HOME and CAAdavancedAuthDSN.I did not try much to fit it on the same server after i learned that there is a conflict. So soemone from CA support might know the trick but default installer does not have options to move Policy Server and Proxy Server to names like ARCOT_HOME1 and 2 and same for CAAdavancedAuthDSN.

The variables were set to following path in my setup

Policy Server ARCOT_HOME C:\Program Files (x86)\CA\aas

SPS  ARCOT_HOME    C:\Program Files (x86)\CA\secure-proxy\arcot

CAAdvancedAuthDSN

Policy Server C:\Program Files (x86)\CA\aas\bin\SmHost.conf

SPS C:\Program Files (x86)\CA\secure-proxy\arcot\conf\SmHostFlow.conf

The installation instructions for session assurance indicate that the PS and Access Gateway (formerly known as SPS) need to be on separate computers. Here is the wiki doc link and look for step 1 in the Configure section https://wiki.ca.com/pages/viewpage.action?pageId=80351409