PAM-CM-0030: Registration failed ('Configuration of CA Single Sign-On Web Agent failed. Please check your settings.');

book

Article ID: 185997

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Single Sign-On

Issue/Introduction

When trying to integrate PAM with CA Single Sign-On, when multiple policy server addresses are defined then the registration fails with PAM-CM-0030 error.
PAM-CM-0030: Registration failed ('Configuration of CA Single Sign-On Web Agent failed. Please check your settings.');

Cause

The reason why this registration fails is because the "Trusted Host Registration" command that is being run is passing the Policy Server IP/Port without a separator resulting in sending 2 policy server as 1.
You can click on the "DOWNOAD LOG" button to get the PAM side SSO log to understand what command was run.



String does not contains '"' in it.

Custom Action:            com.netegrity.webagent.config.MoveSmHostConf
                          Status: SUCCESSFUL

Modify Text File - Single File:   New File /opt/cloakware/cspmserver_thirdparty/ca-sso-wa/bin/runsmreghost.sh
                          Status: SUCCESSFUL

Execute Command:          chmod 775 /opt/cloakware/cspmserver_thirdparty/ca-sso-wa/bin/runsmreghost.sh
                          Status: SUCCESSFUL

Executable command: "/opt/cloakware/cspmserver_thirdparty/ca-sso-wa/bin/smreghost" -i 192.168.0.3:44443192.168.0.41:44443 -u "siteminder" -p "********" -hn "pam330a1.ldap1.lab" -hc "hco.pam" -cf "COMPAT" -f "/opt/cloakware/cspmserver_thirdparty/ca-sso-wa/config/SmHost.conf" -rs

STDOUT: Registration failed ('').

STDERR: 
RETURN_VALUE: 251


The smreghost does not support registering against multiple policy servers at the moment.
It can only register against a single policy server.

Following is the output from smreghost command from SiteMinder R12.8SP3.

Usage
    smreghost -i ipAddress[:port] -u username [-p password] -hn hostname -hc hostconfigobject
   -i  <IPv4 address or IPv6 address enclosed in square brackets as in [IPv6 address][:port]>
  -hn  <Name for host to be registered>
  -hc  <Name of host configuration object>
[ -sh  <Shared secret for the host> ]
[-rs]  (enable shared secret rollover for host)
[  -u  <Administrator username> ]
[  -p  <Administrator password> ]
[  -f  <File to store registration data in (defaults to ./SmHost.conf)> ]
[ -cf  <Crypto FIPS140 mode (COMPAT or MIGRATE or ONLY)>
[ -cp  <Name of crypto provider (ETPKI)> ]
[  -o  <Overwrite existing Trusted Host> ]

NOTE: Any <value> that contains spaces should be surrounded by quotes.
Example: "value with spaces".

Environment

PAM 3.x.x
SiteMinder R12.8.x

Resolution

This feature has an IDEA at the PAM communities.
https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=2007f92f-64e9-424a-b97c-8cd93803980e

Recommendation:
Please register against a single policy server until this feature has been enhanced.
Ignore the PAM GUI where it allows you to enter multiple Policy Servers.

smreghost is required for bootstrap of SiteMinder agent in PAM to contact a Policy Server for initialization.
Once initialized, SSO Agent on PAM will be contacting Policy Servers registered in the HCO.

[SAMPLE SMHOST.CONF]
C:\Users\Administrator>type smhost.conf
#NOTE: PKCS11 crypto provider is deprecated. Please use ETPKI instead. (SmHost.conf)
#This file contains bootstrap information required by the SiteMinder Agent API to connect to Policy Servers at startup.
#Be sure the IP addresses and ports below identify valid listening Policy Servers.
#Please do not edit the encrypted SharedSecret entry.
hostname="reg-test"
sharedsecret="{RC2}8AonNMmtxs/y+RRJIFn6xGL/iP27SVtbz+24KIRfUWgS0lrtgzrDsssnVyd3XSo4SS3lY145fEgRFBJ8hz5L3tgCY5Z2i3KfI047SeaJh3CjrVS0aiv6CtOcMggTmbDIIF2nDayMlOnhNAABQAHSRHvw/XXe+gkZ/LoZE3c/Pq+BgPHL8jx+TomRJNPfkfHD"
sharedsecrettime="0"
enabledynamichco="NO"
hostconfigobject="hco.pam"
#Add additional bootstrap policy servers here for fault tolerance.
policyserver="192.168.0.3,44443,44443,44443"
requesttimeout="60"
cryptoprovider="ETPKI"
fipsmode="COMPAT"

# <EOF>


As you can see above, there is only 1 line of "policyservers" entry.
Once this SmHost.conf file is generated, support engineer can help to modify this /opt/cloakware/cspmserver_thirdparty/ca-sso-wa/config/SmHost.conf to register additional bootstrap policy servers.

[Modifed SAMPLE SmHost.conf]
C:\Users\Administrator>type smhost.conf
#NOTE: PKCS11 crypto provider is deprecated. Please use ETPKI instead. (SmHost.conf)
#This file contains bootstrap information required by the SiteMinder Agent API to connect to Policy Servers at startup.
#Be sure the IP addresses and ports below identify valid listening Policy Servers.
#Please do not edit the encrypted SharedSecret entry.
hostname="reg-test"
sharedsecret="{RC2}8AonNMmtxs/y+RRJIFn6xGL/iP27SVtbz+24KIRfUWgS0lrtgzrDsssnVyd3XSo4SS3lY145fEgRFBJ8hz5L3tgCY5Z2i3KfI047SeaJh3CjrVS0aiv6CtOcMggTmbDIIF2nDayMlOnhNAABQAHSRHvw/XXe+gkZ/LoZE3c/Pq+BgPHL8jx+TomRJNPfkfHD"
sharedsecrettime="0"
enabledynamichco="NO"
hostconfigobject="hco.pam"
#Add additional bootstrap policy servers here for fault tolerance.
policyserver="192.168.0.3,44443,44443,44443"
policyserver="192.168.0.41,44443,44443,44443"
requesttimeout="60"
cryptoprovider="ETPKI"
fipsmode="COMPAT"

# <EOF>

Attachments