Symantec Access Management

 View Only
  • 1.  Tunnel Agent failure while using javadmsapi

    Posted Apr 11, 2018 04:01 PM

    Team,

     

    In order to cater a business requirement, we are creating a custom java code that uses javadmsapi to update a password disabled flag for a particular user. We are using javadmsapi sdk from CA sso and while running the code, we are getting an Exception: Tunnel Agent Failure (exception method snapshot below)

     

    In the properties file, we have to provide the agentname, agent secret and agent ip.

     

    I need any pointers on the below 2 questions:

    1. Any pointers on Exception: Tunnel Agent Failure error

    2. What agentname, agent secret and agent ip shall i give ? for now ,i had created a 4x agent and gave details here. Am i missing something here? 

     

    Please advise



  • 2.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 11, 2018 05:32 PM

    Hi Shivam,

     

    Have you tried using this sample:

    https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/02/29/tech-tip-ca-single-sign-onpolicy-server-read-password-blob-utility

     

    This utilizes DMSAPI.

    If this works then you can build on it to implement your use case.

     

    4x agent is fine to connect to Policy server.

    When you get tunnel failures, check what error you get on Policy server side.

    If no error on PS, check firewall/try telnet to PS port

     

     

    Sent from my iPhone



  • 3.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 12, 2018 03:02 AM

    Hi Ujwol,

    I used the password blob RBP, but i am still getting tunnel exception error. There are no error in the ps logs and i am running this java client on the policy server machine, hence telnet and firewall will not be an issue. I am trying to figure out what is the issue, but i do not understand the use of the 4x agent i have created.

     

    After creating a 4x agent in PS, do we also have to register this agent ? Please assist me understand the use of agent and it's proper configuration with java client. I feel this is where i am lacking.

     

    Thanks always!



  • 4.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 12, 2018 03:13 AM

    Hi Rashmeet,

     

    In order to perfrom DMS API, you will first need to establish an AgentAPI connection with the policy server.

    To establish AgentAPI connection , you need a 4x agent (or a 5x agent).

     

    This is analagous to how web agent first need to estalish handshake with the policy server using the 5x agent (SmHost.conf ).Only after establishing this AgentAPI connection , agent can perform IsProtected/IsAuthenticated or DMSAPI calls to policy server.

     

    Can you share your debug logs ? And your sample code ?

     

    Regards,

    Ujwol



  • 5.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 12, 2018 03:16 AM

    Also use PureJava agent api (smagentapi.jar) and NOT the JNI agent (smjavaagentapi.jar)



  • 6.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 12, 2018 03:19 AM

    Yes, i am using smagentapi only. Attaching the code.

     

     


    import java.io.*;
    import java.text.*;
    import java.util.*;
    import java.net.InetAddress;

    import com.netegrity.sdk.apiutil.*;
    import com.netegrity.sdk.policyapi.*;
    import com.netegrity.sdk.dmsapi.*;
    import netegrity.siteminder.javaagent.*;

    public class ReadPasswordBlob
    {

    // Logging
    private static PrintWriter logWriter = null;
    private static final String CRLF = System.getProperty("line.separator");
    private static boolean LOGGING_DETAIL = false;
    private static String SECTION_SEP = "";

    // Connection to the policy server
    public static SmApiConnection apiConnection = null;

    // Resource and the client IP
    public static String RESOURCE = null;
    public static String CLIENT_IP = null;

    // Command line args
    private static String LOGFILE = "ReadPasswordBlob.log";
    private static String PS_IP = "*****,******";
    private static String AGENT_IP = "*****,******";
    private static String AGENT_NAME = "test_wa_javautility";
    private static String AGENT_SECRET = "*****";
    private static String USER_DIR = "******";
    private static String ORG_ROOT = "******";
    private static String USER_DN = "******";
    private static String ADMIN = "******";
    private static String ADMIN_PWD = "******";

    public static void
    main(String[] args)
    {
    // Parse command line arguments
    for (int i = 0; i < args.length; ++i)
    {
    // '-l' enables logging to a file
    if ((args[i].trim()).equalsIgnoreCase("-l"))
    {
    try
    {
    String logFile = LOGFILE;
    logWriter = new PrintWriter(new BufferedWriter(new FileWriter(logFile)));
    }
    catch (IOException ioe)
    {
    LogException(ioe);
    logWriter = null; // no logging
    }

    break;
    }
    if ((args[i].trim()).equalsIgnoreCase("-psip")) {
    if (i+1<args.length) {
    PS_IP = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-agentname")) {
    if (i+1<args.length) {
    AGENT_NAME = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-agentsecret")) {
    if (i+1<args.length) {
    AGENT_SECRET = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-agentip")) {
    if (i+1<args.length) {
    AGENT_IP = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-userdir")) {
    if (i+1<args.length) {
    USER_DIR = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-userdn")) {
    if (i+1<args.length) {
    USER_DN = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-orgroot")) {
    if (i+1<args.length) {
    ORG_ROOT = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-adminuser")) {
    if (i+1<args.length) {
    ADMIN = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-adminpass")) {
    if (i+1<args.length) {
    ADMIN_PWD = args[i+1];
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-debug")) {
    if (i+1<args.length) {
    LOGGING_DETAIL = java.lang.Boolean.parseBoolean(args[i+1]);
    }
    }
    if ((args[i].trim()).equalsIgnoreCase("-h") ||
    (args[i].trim()).equalsIgnoreCase("-help")) {
    System.out.println("Usage: java ReadPasswordBlob -psip <policyserverip> -adminuser <user> -adminpass <pass> -orgroot <basedn> -userdn <userdn> -userdir <siteminderuserdir> -agentname <agentname> -agentsecret <agentsecret> -debug<true|false>");
    }
    }

    ReadPasswordBlob dmsApiSample = new ReadPasswordBlob();

    // Connect to the policy server
    String agentIP = PS_IP;
    String agentName = AGENT_NAME;
    String agentSecret = AGENT_SECRET;

    AgentAPI agentapi = new AgentAPI();
    ServerDef serverdef = new ServerDef();
    serverdef.serverIpAddress = PS_IP;
    serverdef.connectionMin = 1;
    serverdef.connectionMax = 3;
    serverdef.connectionStep = 1;
    serverdef.timeout = 75;
    serverdef.authenticationPort = 44442;
    serverdef.authorizationPort = 44443;
    serverdef.accountingPort = 44441;

    System.out.println("PS_IP=" + PS_IP + " AGENT_IP=" + AGENT_IP + " AGENT_NAME=" + AGENT_NAME + " USER_DIR=" + USER_DIR + " ORG_ROOT=" + ORG_ROOT + " USER_DN=" + USER_DN + " ADMIN=" + ADMIN);

    InitDef initdef = new InitDef(agentName,
    agentSecret,
    false,
    serverdef);

    int retcode = agentapi.init(initdef);

    if (retcode != AgentAPI.SUCCESS)
    {
    LogFatal("FAILED_CONNECT retcode=" + retcode);
    }

    apiConnection = new SmApiConnection(agentapi);

    // Run the main tests
    dmsApiSample.useDirectoryContext();

    if (logWriter != null)
    {
    logWriter.close();
    }
    System.exit(0);
    }


    // This function call uses the directory context
    public void
    useDirectoryContext()
    {
    // First get the directory context
    SmDmsDirectoryContext directoryContext = getDirectoryContext();

    if (directoryContext == null)
    {
    return;
    }

    // directoryContext contains a valid agent API connection
    // and administrator session spec.
    SmDmsDirectory dmsDirectory = directoryContext.getDmsDirectory();

    if (dmsDirectory == null)
    {
    return;
    }

    getCalls(dmsDirectory);
    }


    public SmDmsDirectoryContext
    getDirectoryContext()
    {
    try
    {
    SmApiResult result = new SmApiResult();

    // Session object using default static Agent API handle.
    SmApiSession apiSession = new SmApiSession(apiConnection);
    boolean loginResult = adminLogin(apiSession);

    if (!loginResult)
    {
    return null;
    }

    // Get a list of user directories the admin can manage.
    SmPolicyApi policyApi = new SmPolicyApiImpl(apiSession);
    Vector userDirs = new Vector();

    // Returns a list of directory names.
    result = policyApi.getAdminUserDirs(ADMIN, userDirs);
    System.out.print("\nGet user directory list: ");
    printObject(userDirs, result, false);

    // Check if the USER_DIR can be found in the list.
    SmUserDirectory userDir = null;

    for (int i = 0; i < userDirs.size(); ++i)
    {
    String dir = (String) userDirs.get(i);

    if (dir.equals(USER_DIR))
    {
    userDir = new SmUserDirectory(USER_DIR);
    result = policyApi.getUserDirectory(USER_DIR, userDir);
    System.out.print("\nGet user directory " + userDir + ": ");
    printObject(userDir, result, false);
    }
    }

    if (userDir == null)
    {
    LogError("Failed to locate user directory " + USER_DIR + " in policy store user directories list.");
    return null;
    }

    SmDmsApi dmsApi = new SmDmsApiImpl(apiSession);
    SmDmsDirectoryContext dirContext = new SmDmsDirectoryContext();
    result = dmsApi.getDirectoryContext(userDir, new SmDmsConfig(), dirContext);

    // The dmsDir contains both session and agent connection.
    // At this time it contains SiteMinder administrator session.
    // From here if you continue using the same SiteMinder administrator.
    return dirContext;
    }
    catch (SmApiException apiException)
    {
    LogException(apiException);
    }

    return null;
    }


    public void
    getCalls(SmDmsDirectory dmsDir)
    {
    try
    {
    // Get capabilities of the Dms Directory
    Vector capabilities = new Vector();
    SmApiResult result = dmsDir.getCapabilities(capabilities);
    System.out.print("\nGet capabilities: ");
    printObject(capabilities, result, false);

    // Get organization
    SmDmsOrganization org = dmsDir.newOrganization(ORG_ROOT);
    result = org.getObject();

    // Get User
    SmDmsUser user = org.newUser(USER_DN);
    user.clearAttributes();
    result = user.getObject();

    if (!result.isSuccess()) {
    System.out.println("\nFailed to access user: " + USER_DN);
    System.out.println(result.getMessage());
    System.out.println("Aborting");
    System.exit(1);
    }

    //Get Password State
    Log(CRLF + "\nObtaining Password State: ");
    SmDmsUserPWState pwstate = new SmDmsUserPWState();
    result = user.getUserPWState(pwstate);
    Date lastLoginTime = pwstate.getLastLoginTime();
    Date prevLoginTime = pwstate.getPrevLoginTime();
    Date disabledTime = pwstate.getDisabledTime();
    Date lastPWChangeTime = pwstate.getLastPWChangeTime();
    int loginFailures = pwstate.getLoginFailures();

    SimpleDateFormat format = new SimpleDateFormat("MMMM dd yyyy kk:mm:ss");
    System.out.print("\nLoginFailures: " + loginFailures);
    System.out.print("\nLastLoginTime: " + format.format(lastLoginTime));
    System.out.print("\nPrevLoginTime: " + format.format(prevLoginTime));
    System.out.print("\nDisabledTime: " + format.format(disabledTime));
    System.out.print("\nLastPWChangeTime: " + format.format(lastPWChangeTime));

     

    if (LOGGING_DETAIL == true)
    {
    Log(CRLF + pwstate.toString());
    }
    }
    catch (SmApiException apiException)
    {
    LogException(apiException);
    }
    }


    public boolean
    adminLogin(SmApiSession apiSession)
    {
    // SiteMinder admin login.
    try
    {
    InetAddress address = InetAddress.getLocalHost();

    SmApiResult result = apiSession.login(ADMIN,
    ADMIN_PWD,
    address,
    0);

    if (!result.isSuccess())
    {
    printObject(null, result, false);
    return false;
    }
    }
    catch (java.net.UnknownHostException uhe)
    {
    LogException(uhe);
    return false;
    }
    catch (SmApiException apiException)
    {
    LogException(apiException);
    return false;
    }

    return true;
    }

    private static void
    printObject(Object obj,
    final SmApiResult result,
    boolean bMustFail)
    {
    if (bMustFail == false)
    {
    if (!result.isSuccess())
    {
    Log("STATUS_NOT_OK");
    }
    else
    {
    Log("STATUS_OK");
    }
    }
    else
    {
    if (!result.isSuccess())
    {
    Log("STATUS_OK");
    }
    else
    {
    Log("STATUS_NOT_OK");
    }
    }

    if (LOGGING_DETAIL == true)
    {
    Log(CRLF + pad("Result Code") + result.toString());

    if (obj != null)
    {
    if (obj instanceof com.netegrity.sdk.policyapi.SmObject)
    {
    SmObject SmObj = (SmObject) obj;
    Hashtable properties = new Hashtable(25);
    SmObj.writeProperties(properties);
    obj = properties;
    }
    else if (obj instanceof com.netegrity.sdk.dmsapi.SmDmsObject)
    {
    SmDmsObject dmsObj = (SmDmsObject) obj;
    obj = dmsObj.getAttributes();
    }

    if (obj instanceof java.util.Hashtable)
    {
    Enumeration ekeys = ((Hashtable) obj).keys();
    Enumeration evalues = ((Hashtable) obj).elements();
    boolean bFirstElem = true;

    while (evalues.hasMoreElements())
    {
    if (!bFirstElem)
    {
    Log(CRLF + "\t\t\t\t\t");
    }

    Log(ekeys.nextElement() + "=" + evalues.nextElement());
    bFirstElem = false;
    }
    }
    else if (obj instanceof java.util.Vector)
    {
    Enumeration evalues = ((Vector) obj).elements();
    boolean bFirstElem = true;

    while (evalues.hasMoreElements())
    {
    if (!bFirstElem)
    {
    Log(CRLF + "\t\t\t\t\t");
    }

    Log(evalues.nextElement().toString());
    bFirstElem = false;
    }
    }
    }
    }
    }


    private static String
    pad(Object object)
    {
    String message = object.toString();
    String padding = "\t.............................\t";
    String ret = padding.substring(0, 1) + message;

    if (message.length() < padding.length() - 3)
    {
    ret += padding.substring(message.length() + 1);
    }
    else
    {
    ret += padding.substring(padding.length() - 2);
    }

    return ret;
    }


    private static void
    Log(String log)
    {
    System.out.print(log);

    if (logWriter != null)
    {
    logWriter.print(log);
    }
    }


    private static void
    LogError(String errLog)
    {
    Log(CRLF + "ERROR: " + errLog);
    }


    private static void
    LogException(Exception e)
    {
    Log(CRLF + "EXCEPTION: " + e.getMessage());
    }


    private static void
    LogFatal(String fatalLog)
    {
    Log(CRLF + "FATAL: " + fatalLog);

    if (logWriter != null)
    {
    logWriter.close();
    }

    System.exit(-1);
    }
    }

    // EOF DmsApiSample.java



  • 7.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 12, 2018 03:20 AM

    I have a question here, so the agentname that i am using is just created in admin console. It's not registered, hence it will not ave smhost.conf file. I am trying to understand what needs to be done with the agentname and its details that we provide in the code. 



  • 8.  Re: Tunnel Agent failure while using javadmsapi

    Posted Apr 12, 2018 11:33 AM

    Hi Shivam,


    Could you try enabling debug and share the debug log?


    Enable Pure Java Agent API Tracing

    ============================


    The pure Java Agent API supports detailed trace messages, which are printed to the console. These messages can be useful when running a command line tool that uses the Agent API, such as smreghost.

    To enable trace messages, set a system property named enableDebug to "true".


     From the command line, add -Dcom.ca.siteminder.sdk.agentapi.enableDebug="true". For example:

    >SM_SMREGHOST_CLASSPATH="c:\ca\sdk\java\smagentapi.jar;c:\ca\sdk\java\cryptoj.jar"

    >java -Dcom.ca.siteminder.sdk.agentapi.enableDebug="true" -classpath %SM_SMREGHOST_CLASSPATH% com.ca.siteminder.sdk.agentapi.SmRegHost -i 127.0.0.1 -hc host_conf1