I have changed password of the account which is used to connect to policy store. I have updated the credentials in smconsole and restarted the policy server. Webagent and policy server is working fine. But, while starting the WAMUI, SiteMinder environment is not getting started and I could see 'Invalid Credentials' error message in the logs.
If I revert the changes to old password, I am not getting any error while starting WAMUI.
1) Can someone please let me know if I need to update password in any other place as well? How WAMUI will know the policy store credentials? Where will it store these credentials?
2) If I add more than one policy server connection to the existing WAMUI, how handshake will happen between WAMUI and additional policy server as the file generated by XPSRegClient is getting removed automatically after the registration in WAMUI? I could see Trusted Host object and Admin object is getting created in Policy Store. But, in which file, shared secret details will be saved in the policy server side? Would be better if someone can explain this flow in detail.
The first question is strange, usually admin ui does not co-relate to policy store connection account.
Those account information is stored in registry file, not in policy store at all.
Maybe you have report server or audit server connection somehow shares same account?
Something was missing in the use case description. You can also search entire policy store export xml file for the account.
When XPSRegclient was called, Siteminder admin needs to complete the registration by going through admin ui, login with id/pass/ui_name, this removes temp record in policy server, and creates permanent record in policy store.
Every registered and working ui has trusted host record in store, like hostname__0 (Generated by XPSRegClient).
Same record was used for next login attempt.
Because it is trusted host, thus handshake will happen for each UI login respectively.
Hope this help.
I am pretty sure you are using the same user account that you used to connect to policy store to also connect to External Administrative store ?
If so, the credentials for this is also stored on the Admin UI side :
So, if the password for this account has changed, apart from updating the smconsole you will also need to update it on the Admin ui side. You can do so by running following steps:
Configure an External Administrator Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Update directory manager credentials with the smjndisetup utility.
Follow these steps:
Run the following command:
Use the smjdbcsetup utility to update database user credentials in the JNDI data source.
To update database credentials
The utility prompts you to enter a unique identifier.
Enter the name of the deployed data source.
Note: If you do not know the data source name, you can locate all deployed data sources in the standalone-full.xml file. This path to this file is administrative_ui_home\siteminder\adminui\standalone\configuration.
administrative_ui_home specifies the Administrative UI installation path.The utility prompts you for the database user name.
For your second part of the question , let's spin off a new thread as that is unrelated to the first question.
I will update shortly on that as well.
Thanks for your response. As usual, you are absolutely correct. We are using same account to connect to policy store and external Admin store. Issue has been resolved after executing smjndisetup.sh, have one query though.
Where this username and password details (to connect to external Admin store) will be stored as I could see that CADirectory xml file (which is in ../siteminder/directories/ folder) is not getting updated even after executing smjndisetup.sh script?
Note : I have even tried changing the user (to connect to external Admin store) but still CADirectory xml file was not updated.
Regarding my second query, as per your suggestion, created a new thread.
CA SSO: How handshake will happen between WAMUI and Policy server?
The new password will be saved in adminui apache derby database in encrypted format.
Glad that worked for you. Please mark the answer as correct if the issue is resolved.
Thanks for your response.