Symantec Access Management

 View Only

SPS /PROXYUI cannot login, 500 error  (with smpolicy-secure.xml)

  • 1.  SPS /PROXYUI cannot login, 500 error  (with smpolicy-secure.xml)

    Posted Nov 01, 2017 05:57 PM



    During an exercise to deploy the latest CA SSO SPS/Access Gateway, we noted a HTTP 500 error message.


    While troubleshooting, we identified the root cause, and collected our notes below to share.



    This may be similar to other community notes:

    CA SSO R12.52 SP1: SPS /PROXYUI cannot login, 500 error 



    After our investigation with the SSO PS logs, and the SPS AFF trace logs, we were able to determine that use of the secure configuration sample of smpolicy-secure.xml impacted the communication from the SPS to the SSO Policy Server.

        • Example:  $SMHOME/bin/XPSImport $SMHOME/db/smpolicy-secure.xml -npass -vT



    Current Resolution:

      • Update the SM Policy Store for the ACO for SPS
        • Note:  the smpolicy-secure.xml will enable extra security features that will impact SPS to SSO communication.
        • Step1:   Add the agent name to the “DefaultAgentName” token of the ACO
        • Step 2:  Comment out the Token “#AgentName”  
        • Step 3:   For SPS use – Disable CSS Checking Token
        • Step 4:   For SPS use – Disable these four (4) tokens  [Note: #BadFormChars is usually already disabled]
        • Step 5:  For SPS use – Disable this token: “#ValidTargetDomain”



      ####  Additional notes ####


        • How to enable trace logging for SPS AFF service



    • End Result: ProxyUI Authentication Screen


    After authentication to SPS/AG ProxyUI:

    Note:  Address the above permission issue with this tech note: