Symantec Access Management

We have multi-master policy store environment and they are in sync with each other.

When I imported the objects to the policy server 1, Admin-UI configured to that policy server 1 is displaying all the objects. Problem is some of the objects are not displayed in the Admin-UI connected to policy server 2. Policy store replication is good and validated using the XPSExplorer. Ran the XPSSweeper to synchronize with the cache did not resolved the issue. After restarting the

policy server 2 only objects are displayed in the Admin-UI.

Following this thread Admin UI updates not seen in any other policy server other than the one that created the object

We have different setup,

We are using the Oracle Unified Directory.

Policy server : R12.52 CR04

I am having 3 questions:

1. How the Admin-UI check for the newly imported objects.

2. When we run XPSSweeper, it Synchronizes XPS and CA SiteMinder policy stores.  In this case policy store  have the objects and Admin-UI is not displaying them.

3. After restarting the policy server missing objects are displayed. Guess this is due to Initializing XPS and BulkFetch of the policy store and building policy cache. (Correct me if wrong)

One more thing is when restarting the policy server, I see the following 3 lines in smps log, Help me with understanding what this mean.

Journal commands refresh interval is 60 second(s)

Server command synchronization delta is 51 second(s)

Secondary cache failure timeout is 0 second(s)

Thanks.

Hi,

Do you have the FSS admin UI that can check if you can see the objects in both policy servers? This can help us to isolate if the issue is due to policy store replication or WAMUI.

If the objects can be seen in FSS admin UI, then most probably due to WAMUI issue.

XPSSweeper is to synchronize XPS and SiteMinder policy stores. This happen within same policy store instance. This is not synchronize between two replicated policy store. For your second question, we are not sure if the policy store contains the object even you run xpssweeper if there is some delay on the data replication happen.

For question 1, there is housekeeping thread check the updated objects and WAMUI will pick up the updated objects.

For question 3, I believe that's the case.

Did your policy server 1 and 2 time synchronize?

Regards,

Kar Meng

Secondary cache failure timeout is 0 second(s)

The Secondary cache was introduced in Siteminder R6. It is more accurately a set of secondary cache(s) for Rules matching:

a. Realm Cache fast, non linear realm matching for IsProtected.

b. Agent Name Cache hash map for Agent OID resolution. Used by IsProtected.

c. Agent Group Cache set of hash maps for Agent Group membership resolution. Used by IsProtected.

d. Policy Cache fast, non linear rule matching for IsProtected and IsAuthorized 

The caches are completely loaded when the Policy Server is started as well as when a cache is flushed.

There are a number of scenarios where the secondary cache could fail to load though the problem itself is not a common one. 

--cache timeout

--network problem

--connection to policy store

--memory issue on Policy Server

When the secondary cache buildup is not successful, the policy server aborts after a timeout period. You specify the timeout period using the following registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore\CacheFailureTimeout
The value of this key is in seconds. The default is 0, which implies no timeout. So, after the policy server shuts down, the smexec brings up the next process event request immediately.

This registry key is available in release R12 Sp3 CR9 and onwards.

Journal commands refresh interval is 60 second(s)

The administrative journal is a record of administrative changes applied to the Policy Server. Administrative changes are distributed to every Policy Server in a CA SiteMinder installation through a central policy store, where the administrative journal is kept.

On the Advanced tab of the Management Console, you can configure the administrative journal by specifying how often administrative changes are applied to the Policy Server and how long the Policy Server maintains a record of the applied changes.

Policy server management console --> Advanced tab --> Administrative Journal Group Box --> Apply administrative changes every xx (seconds).

can you please let me know on this below line too of ps logs

Server command synchronization delta is 51 second(s)

where the configuration for this resides? what this is used for ?

I cant see any entry of 51 sec in sm.registry

can you please let me know on this below line too of ps logs

"Server command synchronization delta is 51 second(s)"

where the configuration for this resides? what this is used for ?

I cant see any entry of 51 sec in sm.registry

Hi,

Please refer How to modify the value of "Server command synchronization delta" 

Regards,

Leo Joseph.