Symantec Access Management

r12.52 SP1 CR05 RHEL

We have three policy servers in our production environment.  We are trying to avoid using the "Siteminder" administrator account to login to the Admin UI so we need to create additional individual administrator accounts for each admin. 

I login to policy server 1 to created new-admin-user administrator account.  I was able to login to policy server 1 with this new admin account, but when I tried to login to the other two policy servers with the same new admin account, I was able to authenticate but could not get into the Admin UI with error message "Unable to get administrator context".

I opened a case with CA Support, but hoping that folks here would be able to get me help faster.

Thanks!

I am not clear - but will try to respond based on the following assumptions;

      All three Policy Servers are used to administer a common Policy Store

      There is only one (1) AdminUI instance, which may reside on any platform

      The Administration UserIDs are not Internal accounts, rather they are External (i.e. stored in the User Store)

      The AdminUI was registered (XPSRegClient) for all Policy Servers - if not - this could cause this behavior

NOTE: "Best Practice" is to assure all administration actions are performed on a common  server.  

      e.g.  For PS-1, PS-2, PS-3  -  administrators should only use PS-1 for administration changes

There have been cases of when making changes on different policy servers, this can result in phantom objects. 

Hope this helps,

Kirk - leslie.kuykendall@ca.com

Hi Leslie, thank you for the response.  Let me provide more info:

I have three separate RHEL servers each server has an installation of SM policy server along with it's own policy store and also an installation of AdminUI.  All three policy stores are CA Directory Server instances and they replicate.  Our internal security audit requires that each of the SM admins need to use a unique admin account to login to the AdminUI rather than the "siteminder" admin account.  We created an additional admin account which is an internal user ID (not external user directory) on policy server "A".  We are able to login to the AdminUI of policy server "A" with this user, but we cannot login to the other two policy server AdminUI with this user. 

Hi Duc,

This looks like policy store synchronization issue to me.

Have you tried restarting secondary policy server where the login fails ?

Also, can you run some test and paste the result here ..

1. Run XPSSecurity from PS bin directory (if it doesn't exist you may have to copy it from installation zip file)

2. Type A , Enter

3. Type the number corresponding the the new legacy admin that you created "admin1", Enter

4.  Then copy the screenshot and paste here :

It should be something like this :

Please provide this output from both the policy server.

Regards,

Ujwol

Ujwol,

You were right!

At first I did not think that it would be a policystore sync issue because when I tried logging in to the secondary policy server using the new admin account ID/PW, it did not reject my password at authentication.  I thought that if it is a policystore sync issue then it wouldn't even authenticate me at all.  But anyway, I restarted the other two policy servers and now that new admin account is able to successfully login to all three servers.

Much thanks for your help!

Regards,

Duc Tran.

Ujwol

I was going to also suggest that - restart PS to Sync -  but noted that you had already provided.

Duc,

Glad that this resolved the issue.

Take care,

Kirk