Symantec Access Management

Expand all | Collapse all

Failed to create the super user account(Policy Server)

Jump to Best Answer
  • 1.  Failed to create the super user account(Policy Server)

    Posted 05-01-2018 04:46 PM

    Hi All,

     

    I am trying to install policy server 12.7(64 bit) on windows server 2012R2:

    I followed https://support.ca.com/phpdocs/7/5262/5262-12-7-platform-support-matrix.pdf as the support matrix

    Windows Server 2012R2

    CA directory 12.6 as policy store

    Java 1.8.171

    Followed Configure a CA Directory Policy Store - CA Single Sign-On - 12.7 - CA Technologies Documentation  in order to configure policy store after successfully installing policy store.

    It fails while setting up the super user: 

    "C:\Program Files\CA\siteminder\bin>smreg -su siteminder
    The super user could not be saved in the policy store.
    Failed to create the super user account."

     I can also see some errors in dsa logs while executing above command

     

    "[176] 20180501.132126.652 WARN : LDAP: Unknown attribute type: smSharedSecretPolicyOID6
    [176] 20180501.132126.652 WARN : LDAP: invalid oid: smSharedSecretPolicy6
    [180] 20180501.132126.667 WARN : LDAP: Unknown attribute type: smAdminOID4
    [180] 20180501.132126.667 WARN : LDAP: invalid oid: smadmin4
    [184] 20180501.132126.667 WARN : LDAP: Unknown attribute type: smAdminOID4
    [184] 20180501.132126.667 WARN : LDAP: Unknown attribute type: smAdminOID4
    [184] 20180501.132126.667 WARN : LDAP: invalid oid: smadmin4"

     

    Mostly all the attributes are from netegrity.dxc file

     

    I am able to connect LDAP from policy server management console. Only the smreg command fails.

     

    Any suggestions, 

     

    Thanks,

    Amit



  • 2.  Re: Failed to create the super user account(Policy Server)

    Posted 05-01-2018 04:58 PM

    Looks like you havent imported the policy store schema for the DSA:


    Create the Policy Store Schema

    You create the policy store schema so the directory server can function as a policy store.

    Important! By default, CA Directory configuration files are read–only. Any CA Directory files that you are instructed to modify, must be updated for write permission. Once the files are updated, you can revert the permission to read–only. Also, all default.*** files provided by CA Directory are overwritten during a CA Directory upgrade. Use caution when modifying any read-only files. 

    Follow these steps:

    1. Copy the following files into the CA Directory DXHOME\config\schema directory:
      • netegrity.dxc
      • etrust.dxc
      • DXHOME
        Specifies the Directory Server installation path.
      Note: The netegrity.dxc file is installed with the Policy Server in siteminder_home\eTrust. The etrust.dxc file is installed with the Policy Server in siteminder_home\xps\db. 
      • siteminder_home
        Specifies the Policy Server installation path.
        • Windows %DXHOME%
        • Unix/Linux: $DXHOME
    2. Create a CA Single Sign-On schema file by copying the default.dxg schema file and renaming it.
      Note: The default.dxg schema file is located in DXHOME\config\schema\default.dxg.
      Example: copy the default.dxg schema file and rename the copy to smdsa.dxg
    3. Add the following lines to the bottom of the new CA Single Sign-On schema file:

      #CA Schema

      source "netegrity.dxc";

      source "etrust.dxc";

    4. Edit the DXI file of the DSA (DSA_Name.dxi) by changing the schema from default.dxg to the new CA Single Sign-On schema file.
      • DSA_Name
        Represents the name of the DSA you created for the policy store.
      Note: The DXI file is located in DXHOME\config\servers. 
    5. Add the following lines to the end of the DXI file of the DSA:

      # cache configuration

      set ignore-name-bindings = true;

    6. Copy the default limits DXC file of the DSA (default.dxc) to create a CA Single Sign-On DXC file.
      Example: Copy the default DXC file and rename the copy smdsa.dxc.

      Note: The default DXC file is located in DXHOME\dxserver\config\limits. 
    7. Edit the settings in the new DXC file to match the following:

      # size limits

      set max-users = 1000;

      set credits = 5;

      set max-local-ops = 1000;

      set max-op-size = 4000;

      set multi-write-queue = 20000;

      Note: Editing the size limits settings prevents cache size errors from appearing in your CA Directory log files. 
      Important! The multi-write-queue setting is for text–based configurations only. If the DSA is set up with DXmanager, omit this setting. 
    8. Save the DXC file.
    9. Edit the DXI file of the DSA (DSA_Name.dxi) by changing the limits configuration from default.dxc to the new CA Single Sign-On limits file.
      Example: change the limits configuration from default.dxc to smdsa.dxc.
      • DSA_Name
        Represents the name of the DSA you created for the policy store.

        Note: The DXI file of the DSA is located in DXHOME\config\servers.If you created the DSA using DXmanager, the existing limits file is named dxmanager.dxc. 
    10. As the DSA user, stop and restart the DSA using the following commands:

      dxserver stop DSA_Name

      dxserver start DSA_Name

      • DSA_Name
        Specifies the name of the DSA.
      The policy store schema is created.


  • 3.  Re: Failed to create the super user account(Policy Server)

    Posted 05-02-2018 12:28 AM

    Hi Ujwol,

     

    I already have done it. I mentioned it in my question as well

     

    Followed Configure a CA Directory Policy Store - CA Single Sign-On - 12.7 - CA Technologies Documentation  in order to configure policy store after successfully installing policy store.

     

    Kindly suggest



  • 4.  Re: Failed to create the super user account(Policy Server)

    Posted 05-02-2018 12:40 AM

    when I run smreg - su siteminder command, I can find following dsa logs, All these invalid attributes are in Netegrity.dxc 

     

    [0] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
    [0] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
    [200] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
    [200] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
    [200] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
    [12] 20180501.213554.907 WARN : LDAP: Unknown attribute type: SMROOTCONFIGOID4
    [140] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
    [140] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smRootConfigOID4
    [140] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
    [88] 20180501.213554.907 WARN : LDAP: Unknown attribute type: SMROOTCONFIGOID4
    [104] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smDomainOID4
    [104] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smDomainMode5
    [104] 20180501.213554.907 WARN : LDAP: invalid oid: smdomain5
    [105] 20180501.213554.907 WARN : LDAP: invalid oid: smAgentgroup4
    [188] 20180501.213554.907 WARN : LDAP: invalid oid: smAgent5
    [0] 20180501.213554.907 WARN : LDAP: invalid oid: smdomain5
    [200] 20180501.213554.907 WARN : LDAP: invalid oid: smscheme4
    [12] 20180501.213554.907 WARN : LDAP: invalid oid: smuserdirectory5
    [140] 20180501.213554.907 WARN : LDAP: invalid oid: smadmin4
    [88] 20180501.213554.907 WARN : LDAP: invalid oid: smAgentType4
    [104] 20180501.213554.907 WARN : LDAP: invalid oid: smauthazmap4
    [105] 20180501.213554.907 WARN : LDAP: invalid oid: smcertmap4
    [188] 20180501.213554.907 WARN : LDAP: invalid oid: smodbcquery4
    [0] 20180501.213554.907 WARN : LDAP: invalid oid: smselfreg4
    [200] 20180501.213554.907 WARN : LDAP: invalid oid: smpasswordpolicy5
    [12] 20180501.213554.907 WARN : LDAP: invalid oid: smRootConfig5
    [140] 20180501.213554.907 WARN : LDAP: invalid oid: smVariableType5
    [88] 20180501.213554.907 WARN : LDAP: invalid oid: smPropertyCollection5
    [104] 20180501.213554.907 WARN : LDAP: invalid oid: smTaggedString5
    [105] 20180501.213554.907 WARN : LDAP: invalid oid: smTrustedHost5
    [188] 20180501.213554.907 WARN : LDAP: invalid oid: smKeyManagement4
    [0] 20180501.213554.907 WARN : LDAP: invalid oid: smAgentKey4
    [200] 20180501.213554.907 WARN : LDAP: Unknown attribute type: smSharedSecretPolicyOID6
    [200] 20180501.213554.907 WARN : LDAP: invalid oid: smSharedSecretPolicy6
    [12] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
    [12] 20180501.213554.922 WARN : LDAP: invalid oid: smadmin4
    [140] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
    [140] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
    [140] 20180501.213554.922 WARN : LDAP: invalid oid: smadmin4
    [88] 20180501.213554.922 WARN : LDAP: Unknown attribute type: SMADMINOID4
    [104] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
    [104] 20180501.213554.922 WARN : LDAP: Unknown attribute type: smAdminOID4
    [104] 20180501.213554.922 WARN : LDAP: invalid oid: smadmin4
    [105] 20180501.213554.922 WARN : LDAP: Unknown attribute type: SMADMINOID4



  • 5.  Re: Failed to create the super user account(Policy Server)
    Best Answer

    Posted 05-02-2018 01:43 AM

    Hi All,

     

    I installed policy server again after properly uninstalling policy server, I am able to set siteminder password now

     

    Thanks