Symantec Access Management

Symptom

We have a RiskMinder Server running on SiteMinder Policy Server Machine (Windows). After upgrading SiteMinder Policy Server from r12.0 SP3 to r12.52, accessing the Arcot_Scheme protected URL results in HTTP 500 error.

1. The Web Server keeps returning HTTP 500 error when we access these URLs.
2. In web agent log, there are some outstanding errors:
   [2080/888][Fri Nov 28 2014 08:07:53][CSmLowLevelAgent.cpp:546][ERROR][sm-AgentFramework-00520] LLA: SiteMinder Agent Api function failed – ‘Sm_AgentApi_IsProtectedEx’ returned ‘-1′.
   [2080/888][Fri Nov 28 2014 08:07:53][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: ‘Low Level Agent’.
   [2080/888][Fri Nov 28 2014 08:07:53][CSmHighLevelAgent.cpp:413][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: ‘Protection Manager’.
3. In Policy Server log, there are also some errors logged:
   [11/28/2014][08:07:53.000][08:07:53][2624][2592][Sm_Az_Message.cpp:825][CSm_Az_Message::FormatAttribute][s71/r4][IIS_Agent][][][][Arcot_Realm][demo domain][][][][][][][][][][][][][Reject s71/r4 : internal error – failed to obtain scheme credentials for scheme ‘Arcot_Scheme’][Send response attribute 158, data size is 94]
4. As a comparison, these Basic Authentication Scheme protected URLs are still accessible.

  Same errors happened after upgrading to SiteMinder Policy Server r12.52 SP1 

Causes

As SiteMinder r12.52 is shipped with an embedded RiskMinder Server, the SiteMinder r12.52 Policy Server installer invokes Policy Server Configuration Wizard to apply some RiskMinder specific configuration, it overwrites ARCOT_HOME system environment variable and %ARCOT_HOME%/conf/adaptershim.ini.

For example, before upgrade, the environment variable was:
ARCOT_HOME=C:\CA\Arcot Systems
After upgrade, the environment variable became to:
ARCOT_HOME=C:\CA\aas

This causes that the ArcotSiteMinderAdapter.dll module couldn’t access the original adaptershim.ini file in original %ARCOT_HOME%/conf folder.

Please be aware of that if you re-run Policy Server Configuration Wizard, the problem also happens as Policy Server Configuration Wizard overwrites %ARCOT_HOME%/conf/adaptershim.ini

Solutions

A:

1. Stop Policy Server
2. Copy the original adaptershim.ini to current %ARCOT_HOME%/conf/adaptershim.ini
3. Copy the original adapterSiteMinder folder to current %ARCOT_HOME%/
4. Copy the original conf/afm folder to %ARCOT_HOME%/conf/
5. Restart Policy Server

B:

1. If the SmPolicySrv service and CARiskMinder service are run in different user context, then we can set the ARCOT_HOME as an user environment variable (rather than system environment variable) on the user who running SmPolicySrv service.

Nice Post.

Have just tested:

Do a fresh installation of PS R12.52 SP1.

These following three folders will be created:

c:\Program Files (x86)\CA\aas\

c:\Program Files (x86)\CA\siteminder\

c:\Program Files (x86)\CA\install-info\

Advanced Authentication Menu is linked to

"C:\Program Files (x86)\CA\aas\install_config_info\ca-aas-uninstall\uninstall.exe"

ENV variable set

ARCOT_HOME=C:\Program Files (x86)\CA\aas

Hi

I encounter the same error, but in my case I didn't do an upgrade but just installed the Adapter for Strong Authentication on the policy server 12.52sp1, RedHat 6, as official documentation explain. I also excluded the embedded unuseful RiskMinder  (/aas folder) process from the start-all / stop-all scripts and set ARCOT_HOME to my new adapter install folder. So SSO start that environment with the right ARCOT_HOME variable. But I face always the error mentioned, "internal error – failed to obtain scheme credentials for scheme " Also LD_LIBRARY_PATH is set to correct folder for libs (siteminder/lib) . The adaptershim.ini file is correctly located on the correct folder under arcot_home/conf directory. Libs are correctly located on both lib and bin folder from siteminder and also on arcot_home/adapterSiteminder/lib directory. What I could check more ?