Symantec Access Management

 View Only
  • 1.  1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Jun 29, 2015 09:55 AM

    Hi,

    My goal is to have multiple standalone WAMUI's registered with same policy store.

     

    I am able to register WAMUI successfully after 1st policy server installation. Then i moved to second server and attempted to register with "-adminui-setup" and never got it successfully registered. On the 1st policy server, I had external LDAP Admin authentication enabled  which i thought could be issue. So I followed the steps below.

     

    1. Delete Trusted Hosts and Sm-Admins

    2. Delete SM-Admin-Directory

    3. Run XPSSweeper

     

    Start PS and JBoSS server. And then faced issues with even login with siteminder id on 1st policy server. So now WAMUI console is Down on both SM 1252 SP1 policy servers.

     

    I did almost all the possible documented steps to recover from issue but unable to register WAMUI on any server.

     

    I am always getting "Agent API Failure".

     

    Just to give background about SM 1252 SP1 install,

     

    1. I am installing Policy Server and WAMUI in New Directory on each server.

    2. Initialize New LDAP Policy Store as standard steps

    3. Install WAMUI

    4. Register WAMUI with New Policy Store, upon confirmation bring down policy server

    5. Point Policy server to old Live Policy Store instance.

    6. Install XPSDD

    7. Import XPS Policy

    8. Delete Data folder from WAMUI,

    8. Now Attempt to register and it works sometimes or not.

     

    I am very curious with Agent Api Failure messages, and  looking for some advise here.

     

    Thanks,

    Sanjay



  • 2.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Jun 29, 2015 04:37 PM

    After you ran steps 1,2,3 to revert; I'd ideally execute smreg -su again to reset the SiteMinder Super User to see if that helps restore the SiteMinder Super User permissions (in addition to only resetting the Super User Password).

     

    Another hint. I'd ideally first configure WAMUI1 with PS1 and WAMUI2 with PS2 using SiteMinder Super User. Then flip WAMUI1 to External Authentication, then flip WAMUI2 to External Authentication.

     

    I have a suspicion that when we flip to External Authentication; it may be de-associate some of the privledges of SiteMinder SuperUser. Remember it is the same PStore WAMUI1 and WAMUI2 are latching onto. Hence when you thereafter try to use SiteMinder Super User for WAMUI2 (after flipping WAMUI1 to External Auth) there may be conflict.

     

     

    Regards

     

    Hubert



  • 3.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Jun 30, 2015 10:25 AM

    Hi Hubert,

     

    Thanks for your suggestions.

     

    I was able to reset WAMUI which was setup with external authentication. Then pointed both SM1252 SP1 policy servers to plain new instance and I was able to register WAMUI1 and WAMU2 successfully with same "siteminder" id.

     

    This confirmed that Siteminder id works fine over both WAMUIs and using single policy store.

     

    So i switched to my old live policy store on both servers and executed same commands. It was still failing to register successfully. CA Support indicated may be it was timeout, so I bumped the value for "Search_Timeout " under "sm.registry" from 120 seconds to 180 second. This helped to  register the WAMUI1 successfully. Then I replicated same settings on other policy server for WAMUI2 and it did not work. I am still getting "Agent API Error". We have 113000 objects in policy store will that be causing any issue.

     

    Do you think I still need to do smreg -su even though external authentication is not defined?

     

    Any other things I could try ?

     

    Thanks & Regards,

    Sanjay



  • 4.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Aug 07, 2015 03:18 PM

    I have a similar situation here, but i have two different PS and two different CA Directories configured. I would like to have both the policy store in sync so that whenever there is a modification in one of the PS, it goes into both the Policy stores. Similar to replication.

    I know we could add policy store details in Smconsole. And to add, both the policy stores have same structure and cn and password. I tested adding two ip and the testing same really great. But when i logged into the WAMUI,it gave me an error unable to process login, please contact administrator.

     

    I have tried re-registering UI, running XPSRegclient. But that didn't work, only after i removed the additional policy store IP, i was able to login.

     

    Is there any document to sync two standalone installation to one unit. You understand what i mean...

     

    If so, your assistance would be really helpful.

     

    Thanks



  • 5.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Jun 30, 2015 01:45 AM

    Hi Sanjay,

     

    Are you installing WAMUI freshly on each server ?Which OS are you using here ?

    I guess you can try deleting data directory within adminui directory, which should be somewhere like ps_home/adminui/server/default/data

    Then try registry adminui , see if it works or not.

     

    Thanks & Regards,

    Ankush



  • 6.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Jun 30, 2015 10:31 AM

    Hi Ankush,

     

    Thanks for your reply.

     

    I have tried following steps so far so many times but no luck.

     

    1. STOP POLICY SERVER

    2. STOP JBOSS APP SERVER

    3. Use XPSExplorer to Delete Trusted Host and WAMUI Admin Id

    4. Delete data directory from /web/soft/smwamui/siteminder/adminui/server/default/

    5. XPSSecurity if exteranl authentication is defined.

    6. START POLICY SERVER

    7. XPSSweeper

    8. XPSRegClient siteminder:*** -adminui-setup -vT -l /web/soft/smwamui/siteminder/adminui/wamui-reg-log -t 1440

    9. START JBOSS APP SERVER

    10. Attempt to login console and getting "Agent Api Error"

     

    Any thoughts?

     

    Thanks & Regards,

    Sanjay



  • 7.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Jul 26, 2015 12:56 AM

    Hi Sanjay,

     

    I believed that you worked with CA Support on this WAMUI registration issue -- 00133461 and it seems to be resolved after some work on the policy store. Please confirm if this problem has been addressed and this community post can be marked as resolved.

     

    Best regards,

    Kelly



  • 8.  Re: 1252 SP1 wamui Registration on Multiple Policy Servers running 1252 SP1

    Posted Aug 13, 2015 02:01 PM

    Hi,

     

    Finally, I am able to complete the Siteminder Upgrade with WAMUI and External Authentication successfully. I adopted following approach and fine tuning to get it working

     

    1. Update serach time out on sm.registry on current policy servers. If it is NOT set properly, you will see Agent API Failures

    2. Perform In Place Upgrade

    3. Update Policy store

    4. Register WAMUI

    5. Configure External Admin. Please be careful while setting up External Admin. When you come to a screen where it show you object classes, there is search root option which is by default set to "cn=changelog". Please change it to where your user directory root is located.

    6. If you are not using wily and getting wily lib error, you can disable it from XPSConfig.

     

    Let me know if anybody has questions.

     

    Thanks,

    Sanjay