Symantec Access Management

Expand all | Collapse all

Creating administrator account on multiple policy servers

Jump to Best Answer
  • 1.  Creating administrator account on multiple policy servers

    Posted 01-24-2018 03:26 PM

    r12.52 SP1 CR05 RHEL

    We have three policy servers in our production environment.  We are trying to avoid using the "Siteminder" administrator account to login to the Admin UI so we need to create additional individual administrator accounts for each admin. 

     

    I login to policy server 1 to created new-admin-user administrator account.  I was able to login to policy server 1 with this new admin account, but when I tried to login to the other two policy servers with the same new admin account, I was able to authenticate but could not get into the Admin UI with error message "Unable to get administrator context".

     

    I opened a case with CA Support, but hoping that folks here would be able to get me help faster.

     

    Thanks!



  • 2.  Re: Creating administrator account on multiple policy servers

    Posted 01-24-2018 06:17 PM

    I am not clear - but will try to respond based on the following assumptions;

          All three Policy Servers are used to administer a common Policy Store

          There is only one (1) AdminUI instance, which may reside on any platform

          The Administration UserIDs are not Internal accounts, rather they are External (i.e. stored in the User Store)

          The AdminUI was registered (XPSRegClient) for all Policy Servers - if not - this could cause this behavior

         

    NOTE: "Best Practice" is to assure all administration actions are performed on a common  server.  

          e.g.  For PS-1, PS-2, PS-3  -  administrators should only use PS-1 for administration changes

    There have been cases of when making changes on different policy servers, this can result in phantom objects. 

     

    Hope this helps,

     

    Kirk - leslie.kuykendall@ca.com



  • 3.  Re: Creating administrator account on multiple policy servers

    Posted 01-24-2018 07:00 PM

    Hi Leslie, thank you for the response.  Let me provide more info:

     

    I have three separate RHEL servers each server has an installation of SM policy server along with it's own policy store and also an installation of AdminUI.  All three policy stores are CA Directory Server instances and they replicate.  Our internal security audit requires that each of the SM admins need to use a unique admin account to login to the AdminUI rather than the "siteminder" admin account.  We created an additional admin account which is an internal user ID (not external user directory) on policy server "A".  We are able to login to the AdminUI of policy server "A" with this user, but we cannot login to the other two policy server AdminUI with this user. 

     



  • 4.  Re: Creating administrator account on multiple policy servers
    Best Answer

    Posted 01-24-2018 07:39 PM

    Hi Duc,

     

    This looks like policy store synchronization issue to me.

    Have you tried restarting secondary policy server where the login fails ?

     

    Also, can you run some test and paste the result here ..

     

    1. Run XPSSecurity from PS bin directory (if it doesn't exist you may have to copy it from installation zip file)

    2. Type A , Enter

    3. Type the number corresponding the the new legacy admin that you created "admin1", Enter

    4.  Then copy the screenshot and paste here :

    It should be something like this :

     

     

    Please provide this output from both the policy server.

     

    Regards,

    Ujwol



  • 5.  Re: Creating administrator account on multiple policy servers

    Posted 01-24-2018 08:20 PM

    Ujwol,

     

    You were right!

     

    At first I did not think that it would be a policystore sync issue because when I tried logging in to the secondary policy server using the new admin account ID/PW, it did not reject my password at authentication.  I thought that if it is a policystore sync issue then it wouldn't even authenticate me at all.  But anyway, I restarted the other two policy servers and now that new admin account is able to successfully login to all three servers.

     

    Much thanks for your help!

     

    Regards,

     

    Duc Tran.



  • 6.  Re: Creating administrator account on multiple policy servers

    Posted 01-25-2018 10:42 AM

    Ujwol

    I was going to also suggest that - restart PS to Sync -  but noted that you had already provided.

     

    Duc,

    Glad that this resolved the issue.

     

    Take care,

    Kirk