Symantec Access Management

Hi All,

I am trying to install policy server 12.7(64 bit) on windows server 2012R2:

I followed https://support.ca.com/phpdocs/7/5262/5262-12-7-platform-support-matrix.pdf as the support matrix

Windows Server 2012R2

CA directory 12.6 as policy store

Java 1.8.171

Followed Configure a CA Directory Policy Store - CA Single Sign-On - 12.7 - CA Technologies Documentation  in order to configure policy store after successfully installing policy store.

It fails while setting up the super user: 

"C:\Program Files\CA\siteminder\bin>smreg -su siteminder
The super user could not be saved in the policy store.
Failed to create the super user account."

 I can also see some errors in dsa logs while executing above command

"[176] 20180501.132126.652 WARN : LDAP: Unknown attribute type: smSharedSecretPolicyOID6
[176] 20180501.132126.652 WARN : LDAP: invalid oid: smSharedSecretPolicy6
[180] 20180501.132126.667 WARN : LDAP: Unknown attribute type: smAdminOID4
[180] 20180501.132126.667 WARN : LDAP: invalid oid: smadmin4
[184] 20180501.132126.667 WARN : LDAP: Unknown attribute type: smAdminOID4
[184] 20180501.132126.667 WARN : LDAP: Unknown attribute type: smAdminOID4
[184] 20180501.132126.667 WARN : LDAP: invalid oid: smadmin4"

Mostly all the attributes are from netegrity.dxc file

I am able to connect LDAP from policy server management console. Only the smreg command fails.

Any suggestions, 

Thanks,

Amit

Looks like you havent imported the policy store schema for the DSA:

Create the Policy Store Schema

You create the policy store schema so the directory server can function as a policy store.

Follow these steps:

1. Copy the following files into the CA Directory DXHOME\config\schema directory:
   • netegrity.dxc
   • etrust.dxc
   • DXHOME
     Specifies the Directory Server installation path.
   Note: The netegrity.dxc file is installed with the Policy Server in siteminder_home\eTrust. The etrust.dxc file is installed with the Policy Server in siteminder_home\xps\db. 
   • siteminder_home
     Specifies the Policy Server installation path.
     • Windows %DXHOME%
     • Unix/Linux: $DXHOME
2. Create a CA Single Sign-On schema file by copying the default.dxg schema file and renaming it.
   Note: The default.dxg schema file is located in DXHOME\config\schema\default.dxg.
   Example: copy the default.dxg schema file and rename the copy to smdsa.dxg

3. Add the following lines to the bottom of the new CA Single Sign-On schema file:

   #CA Schema
   source "netegrity.dxc";
   source "etrust.dxc";

4. Edit the DXI file of the DSA (DSA_Name.dxi) by changing the schema from default.dxg to the new CA Single Sign-On schema file.
   • DSA_Name
     Represents the name of the DSA you created for the policy store.
   Note: The DXI file is located in DXHOME\config\servers. 

5. Add the following lines to the end of the DXI file of the DSA:

   # cache configuration
   set ignore-name-bindings = true;

6. Copy the default limits DXC file of the DSA (default.dxc) to create a CA Single Sign-On DXC file.
   Example: Copy the default DXC file and rename the copy smdsa.dxc.

   Note: The default DXC file is located in DXHOME\dxserver\config\limits. 

7. Edit the settings in the new DXC file to match the following:

   # size limits
   set max-users = 1000;
   set credits = 5;
   set max-local-ops = 1000;
   set max-op-size = 4000;
   set multi-write-queue = 20000;

   Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files. 
   Important! The multi-write-queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting. 
8. Save the DXC file.
9. Edit the DXI file of the DSA (DSA_Name.dxi) by changing the limits configuration from default.dxc to the new CA Single Sign-On limits file.
   Example: change the limits configuration from default.dxc to smdsa.dxc.

   • DSA_Name
     Represents the name of the DSA you created for the policy store.

     Note: The DXI file of the DSA is located in DXHOME\config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc. 

10. As the DSA user, stop and restart the DSA using the following commands:

    dxserver stop DSA_Name
    dxserver start DSA_Name

    • DSA_Name
      Specifies the name of the DSA.
    The policy store schema is created.

Hi Ujwol,

I already have done it. I mentioned it in my question as well

Followed Configure a CA Directory Policy Store - CA Single Sign-On - 12.7 - CA Technologies Documentation  in order to configure policy store after successfully installing policy store.

Kindly suggest

when I run smreg - su siteminder command, I can find following dsa logs, All these invalid attributes are in Netegrity.dxc 

[0] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
[0] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
[200] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
[200] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
[200] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
[12] 20180501.213554.907 WARN : LDAP: Unknown attribute type: SMROOTCONFIGOID4
[140] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
[140] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
[140] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
[88] 20180501.213554.907 WARN : LDAP: Unknown attribute type: SMROOTCONFIGOID4
[104] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smDomainOID4
[104] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smDomainMode5
[104] 20180501.213554.907 WARN : LDAP: invalid oid: smdomain5
[105] 20180501.213554.907 WARN : LDAP: invalid oid: smAgentgroup4
[188] 20180501.213554.907 WARN : LDAP: invalid oid: smAgent5
[0] 20180501.213554.907 WARN : LDAP: invalid oid: smdomain5
[200] 20180501.213554.907 WARN : LDAP: invalid oid: smscheme4
[12] 20180501.213554.907 WARN : LDAP: invalid oid: smuserdirectory5
[140] 20180501.213554.907 WARN : LDAP: invalid oid: smadmin4
[88] 20180501.213554.907 WARN : LDAP: invalid oid: smAgentType4
[104] 20180501.213554.907 WARN : LDAP: invalid oid: smauthazmap4
[105] 20180501.213554.907 WARN : LDAP: invalid oid: smcertmap4
[188] 20180501.213554.907 WARN : LDAP: invalid oid: smodbcquery4
[0] 20180501.213554.907 WARN : LDAP: invalid oid: smselfreg4
[200] 20180501.213554.907 WARN : LDAP: invalid oid: smpasswordpolicy5
[12] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
[140] 20180501.213554.907 WARN : LDAP: invalid oid: smVariableType5
[88] 20180501.213554.907 WARN : LDAP: invalid oid: smPropertyCollection5
[104] 20180501.213554.907 WARN : LDAP: invalid oid: smTaggedString5
[105] 20180501.213554.907 WARN : LDAP: invalid oid: smTrustedHost5
[188] 20180501.213554.907 WARN : LDAP: invalid oid: smKeyManagement4
[0] 20180501.213554.907 WARN : LDAP: invalid oid: smAgentKey4
[200] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smSharedSecretPolicyOID6
[200] 20180501.213554.907 WARN : LDAP: invalid oid: smSharedSecretPolicy6
[12] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
[12] 20180501.213554.922 WARN : LDAP: invalid oid: smadmin4
[140] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
[140] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
[140] 20180501.213554.922 WARN : LDAP: invalid oid: smadmin4
[88] 20180501.213554.922 WARN : LDAP: Unknown attribute type: SMADMINOID4
[104] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
[104] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
[104] 20180501.213554.922 WARN : LDAP: invalid oid: smadmin4
[105] 20180501.213554.922 WARN : LDAP: Unknown attribute type: SMADMINOID4

Hi All,

I installed policy server again after properly uninstalling policy server, I am able to set siteminder password now

Thanks