Symptom
We have a RiskMinder Server running on SiteMinder Policy Server Machine (Windows). After upgrading SiteMinder Policy Server from r12.0 SP3 to r12.52, accessing the Arcot_Scheme protected URL results in HTTP 500 error.
- The Web Server keeps returning HTTP 500 error when we access these URLs.
- In web agent log, there are some outstanding errors:
[2080/888][Fri Nov 28 2014 08:07:53][CSmLowLevelAgent.cpp:546][ERROR][sm-AgentFramework-00520] LLA: SiteMinder Agent Api function failed – ‘Sm_AgentApi_IsProtectedEx’ returned ‘-1′.
[2080/888][Fri Nov 28 2014 08:07:53][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: ‘Low Level Agent’.
[2080/888][Fri Nov 28 2014 08:07:53][CSmHighLevelAgent.cpp:413][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: ‘Protection Manager’. - In Policy Server log, there are also some errors logged:
[11/28/2014][08:07:53.000][08:07:53][2624][2592][Sm_Az_Message.cpp:825][CSm_Az_Message::FormatAttribute][s71/r4][IIS_Agent][][][][Arcot_Realm][demo domain][][][][][][][][][][][][][Reject s71/r4 : internal error – failed to obtain scheme credentials for scheme ‘Arcot_Scheme’][Send response attribute 158, data size is 94] - As a comparison, these Basic Authentication Scheme protected URLs are still accessible.
Same errors happened after upgrading to SiteMinder Policy Server r12.52 SP1
Causes
As SiteMinder r12.52 is shipped with an embedded RiskMinder Server, the SiteMinder r12.52 Policy Server installer invokes Policy Server Configuration Wizard to apply some RiskMinder specific configuration, it overwrites ARCOT_HOME system environment variable and %ARCOT_HOME%/conf/adaptershim.ini.
For example, before upgrade, the environment variable was:
ARCOT_HOME=C:\CA\Arcot Systems
After upgrade, the environment variable became to:
ARCOT_HOME=C:\CA\aas
This causes that the ArcotSiteMinderAdapter.dll module couldn’t access the original adaptershim.ini file in original %ARCOT_HOME%/conf folder.
Please be aware of that if you re-run Policy Server Configuration Wizard, the problem also happens as Policy Server Configuration Wizard overwrites %ARCOT_HOME%/conf/adaptershim.ini
Solutions
A:
- Stop Policy Server
- Copy the original adaptershim.ini to current %ARCOT_HOME%/conf/adaptershim.ini
- Copy the original adapterSiteMinder folder to current %ARCOT_HOME%/
- Copy the original conf/afm folder to %ARCOT_HOME%/conf/
- Restart Policy Server
B:
- If the SmPolicySrv service and CARiskMinder service are run in different user context, then we can set the ARCOT_HOME as an user environment variable (rather than system environment variable) on the user who running SmPolicySrv service.