Symantec Access Management

Hello All,

I am installing a new instance of SPS and the installation went fine, but while configuring i.e. ca-sps-config.sh i get an error.

Creation of proxy UI Protection Policy has failed (attached a screenshot of the error)

I have verified that the Agent name i am giving is present in the Admin GUI, but still i get the same error.

Any pointers what could be the issue here?

Thank You

Ankur Taneja

Hi Ankur,

Could you please check the Name of the default agent or an agentname defined in the ACO.

https://docops.ca.com/ca-single-sign-on/12-6/EN/configuring/ca-access-gateway-configuration

Regards,
Leo Joseph.

Hello Leo,

Yes, i have checked and giving the same agent name as mentioned in default agent for the defined ACO.

Thanks

Hi Ankur,

Kindly check the below

Is the Proxy UI already protected within some-other domain and has used same agent name ?.
Have you protected Proxy UI manually in different domain and trying to use the same agent to protect the Proxy UI again ?

Regards,
Leo Joseph.

Hi,

Did you find SPS configuration log (SPS_install_path/install_config_info folder) generate? Need to check what error reported. Instead of using console mode, have you try with UI mode for the configuration. Just want to compare if that return different result.

Regards,

Kar Meng

Hello All,

Thank you for the responses.

I have checked the WebAgent.conf and SmHost.conf and they seem to be referring to the correct ACO, HCO, trusted host. Also ,couldn't find anything in the logs as well i.e.  ca-sps-details.log .

But i bypassed the Proxy UI configuration part by continue and was able to successfully install a new SPS instance (as we use it for federation service and will not required Proxy UI anyway) .

Now we have 2 SPS instances and i have update all the relevant files for this new SPS instance created lile:- server.conf , proxyrules.xml , httpd.conf, proxyserver.sh etc accordingly. But somehow i am not able to get this new instance working and getting the below error: -

I checked the the port conflict as well which is not there as we are using different ports for 2 difference SPS configurations. 

Any pointers here? Anything in specific that i should check or i am missing?

Thank You

Ankur Taneja

Hi Ankur,

It seems like tomcat is not stopping here properly.

Please do the following.

1. stop proxy engine ./sps-ctl stop

2. go to SPS_HOME/proxy-engine/tmp

3. check sps.pid is still exist or not. if it is present, please remove it (rm sps.pid).

4. start proxy engine

Thanks,

Sharan

Hello Sharana,

Checked, nothing there in /proxy-engine/tmp for the new SPS instance.

Hi Ankur,

I guess some applicaiton occipied the default port (ie: port 80) that you configured in httpd.conf.

Check if any application occupied the port.

ie:

[root@lodbl509vm046 /]# sudo netstat -ltnp | grep ':80'

If it return result, then it suggest the application occupied the port

ie:

tcp        0      0 :::80                     :::*                        LISTEN      18255/java

kill the process

ie:

sudo kill -9 18255

and check if SPS can startup.

If above is not relevant, modify sps-ctl to add -x in order to give us more hints what's the problem.

Regards,

Kar Meng

Another reason for the error you may get with protection policy creation is when you are using an account for config Access Gateway which doesnot has rights to create Domain objects. Just verify what account you are using for the configuration.

I had that issue. I was using admin username that was specifically used for registering trustedhosts and did not have rights to create policy objects. When I used superuser admin "siteminder" it worked. It successfully created policies for SPS agent.

You will have this error if the admin you are using for registering trustedhost does not have privileges to create policy objects. Use admin user that has full privileges to register trustedhost and subsequent configuration and you will not have this issue. I have experienced the same and that's how I resolved.