Symantec Access Management

 View Only
Expand all | Collapse all

Tech Tip : CA Single Sign-On : 12.6 XPSSweeper integrity check tool reports error that can not be fixed automatically.

  • 1.  Tech Tip : CA Single Sign-On : 12.6 XPSSweeper integrity check tool reports error that can not be fixed automatically.

    Posted Jan 12, 2017 03:24 AM

    Issue

    When running : XPSSweeper -a -changeset Changesetfile.txt -report Reportfile.txt 

    Getting the following in a Report text file without a changset file, due that - as report says- these errors cannot fix automatically.

    Now, we have 4 errors belong to the same nature (federation):

    [..]

    1) [sm-xpsxps-03233] Required attribute CA.SM::SAMLv2IdP.Name is not set.

    Object ID: CA.SM::SAMLv2IdP@21-b2312d0f-848b-4649-93ac-9a47b8274cc6

    Object Name: FedName

    Object Path: AuthScheme[FedName] / SAMLv2IdP[FedName]

    Object Description:

    Fix Information: Automatic fix currently not available.

    [..]

     

    And another error is

    5) [sm-xobsm-00480] Directory Server="E:\Program": Port "\Program" must be an integer in the range 1-65535.

    Object ID: CA.SM::UserDirectory@0e-86efcd25-6991-498c-8691-52cd11684f35

    Object Name: FedDir

    Object Path: UserDirectory[FedDir]

    Object Description:

    Fix Information: Automatic fix currently not available. 

     

    Environment

    Policy Server : R12.6, on Win2012 R2 Policy Store : CA Directory R12 SP18 AdminUI : R12.6, on Win2012 R2

    Cause

    This issue is due to a small defect in the validation logic for userdirectory objects.  

    The logic for checking the contents of the server attribute doesn't take into account the differences between the AD:, LDAP:,Custom: and ODBC: namespaces. 

    The same server attribute is overwritten to represent ip addresses for LDAP: and AD:, DSN Names for ODBC: and filenames for Custom:. 

    Luckily, the same validation logic applied to all namespaces doesn't usually cause a validation failure. 

    However when the validation logic sees a ":" in the server field it expects a number to follow the ":". 

    In the case of this defect, the customer has provided a full windows filespec for the userdirectory server attribute including the drive letter followed by ":".

    Workaround

    There is a workaround for this issue. The server field for the "FedDir" userdirectory object should be changed from "E:\Program Files (x86)\CA\siteminder\bin\smdirapi_all.dll" to "smdirapi_all.dll". 

    The new string should pass validation and the DLL should be found during runtime if it is located in siteminder\bin

     

    KD : TEC1462638



  • 2.  Re: Tech Tip : CA Single Sign-On : 12.6 XPSSweeper integrity check tool reports error that can not be fixed automatically.

     
    Posted Feb 13, 2017 06:26 PM