Symantec Access Management

  • Private Community
 View Only

  • 1.  CA SiteMinder - verify AdoptOpenJDK

    Posted Sep 13, 2020 11:50 PM
    What test cases or artifacts (log files, active processes, etc.) should be used or examined to confirm the desired version of AdoptOpenJDK is being used by the policy server?

    ------------------------------
    Engineer III
    Sutter Health (Contractor)
    ------------------------------


  • 2.  RE: CA SiteMinder - verify AdoptOpenJDK

    Broadcom Employee
    Posted Sep 14, 2020 04:31 PM
    Edited by Brian Dyson Sep 14, 2020 04:32 PM

    On Linux, I think the clearest way to is examine the process to see which JVM library has been loaded.

    For example, when the SiteMinder Policy Server is started a Java process is also started that monitors, SmMonAgentRun.

    $ ps -o cmd -p $(pgrep -f SmMonAgentRun) | cat
    CMD
    /opt/jdk-latest/jre/bin/java -Xrs -Xmx64m -Dnete.ps.root=/opt/CA/siteminder -classpath /opt/CA/siteminder/lib/smconapi.jar:/opt/CA/siteminder/lib/smmon.jar com.netegrity.smmonagent.SmMonAgentRun

    You can see that java was started as /opt/jdk-latest/jre/bin/java, but /opt/jdk-latest/ is actually a symlink to the directory where the latest version of Java has been extracted.

    The maps file under the process in the /proc file system shows the library mappings and this will show the path of loaded libraries. We want to see where the libjvm.so library has been loaded.

    $ grep libjvm /proc/$(pgrep -f SmMonAgentRun)/maps
    7f57ebff9000-7f57eccae000 r-xp 00000000 08:02 34697420 /opt/jdk8u265-b01/jre/lib/amd64/server/libjvm.so
    7f57eccae000-7f57ecead000 ---p 00cb5000 08:02 34697420 /opt/jdk8u265-b01/jre/lib/amd64/server/libjvm.so
    7f57ecead000-7f57ecf50000 r--p 00cb4000 08:02 34697420 /opt/jdk8u265-b01/jre/lib/amd64/server/libjvm.so
    7f57ecf50000-7f57ecf79000 rw-p 00d57000 08:02 34697420 /opt/jdk8u265-b01/jre/lib/amd64/server/libjvm.so

    And now we can confirm that the Java VM was loaded from /opt/jdk8u265-b01/jre/lib/amd64/server/libjvm.so.

    The same can be done by replacing the $(pgrep -f SmMonAgentRun) with $(pgrep -x smpolicysrv) to check the Policy Server process.

    Hope this helps.



    ------------------------------
    Security Integration & Adoption, Software Architect
    Broadcom
    ------------------------------

    Original Message