Symantec Access Management

  • Private Community
 View Only
Back to Library

Workaround to register an admin UI with multiple policy servers 

Dec 20, 2017 09:44 AM

Overview

Each adminUI must have a one-to-one mapping with a policy servers DNS entry. 
These DNS entries are saved in trusted hosts at the policy store.

Registration process

Using XPSregClient open policy server 1 for registration:
XPSRegClient siteminder:passphrase –adminui-setup
Register AdminUI with policy server 1 from the adminUI login window.
Note down the DNS entry used to register the adminUI (This entry cannot be used again)
Stop the JBOSS server on the admin UI
./jboss-cli.sh --connect --command=:shutdown
On the AdminUI server cd to:
[admin ui home]/standalone/data/derby/siteminder
Remove the objectstore folder
Start the adminui again
Using XPSregClient open policy server 2 for registration
XPSRegClient siteminder:passphrase –adminui-setup
Register AdminUI with policy server 2
Note down the DNS entry used to register the adminUI (This entry cannot be used again)
The AdminUI is now registered with both policy servers
Repeat this process for each additional ADMINUI - Remember you cannot use re-use a DNS entry already used for another AdminUI in the policy store.

Statistics
0 Favorited
8 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Ujwol
Dec 21, 2017 11:35 AM

Gottcha. However, this is an unsupported configuration and we do NOT encourage customer to implement this in PROD.

 

This is good just for some quick test in lower env.

 

Sent from my iPhone

Legacy User
Dec 21, 2017 10:53 AM

This is really good info Matt.

 

I am in agreement with Ujwol. Is this vetted / approved for use by Engineering. If we implemented this route, is this going to be officially supported by CA Support and CA Engineering for any subsequent issues that arise in future releases. We should always answer this question first. If it is a supported approach then this should be formally documented as a Tech Note OR a documentation update. Then happy to use this approach (like Makesh indicated, it looks like it eliminates one hop).

 

Regards

Hubert

Makesh Kannan Thangasamy
Dec 21, 2017 10:43 AM

Hi Ujwol,

 

The official approach have a dependency to setup "external administrator store" prior to registering multiple policy server with WAMUI. But the workaround from Matt eliminates the need of an external administrator store.

 

Regards,

Makesh

Ujwol
Dec 20, 2017 02:02 PM

Hi Matthew,



Thanks for the KB.


However, the official procedure to register multiple Policy server connections with wamui is:


https://docops.ca.com/ca-single-sign-on/12-6-01/en/installing/install-the-administrative-ui/optional-configure-additional-policy-server-connections-for-the-administrative-ui


Specifically, for the second policy server connection you would use “-adminui” switch rather than “ -adminui-setup” which is used only for first initial connection.


Did you have any issue following the official approach?


Regards,

Ujwol


Related Entries and Links

No Related Resource entered.