Agent command object corruption

book

Article ID: 194825

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and sometime a corrupted object appears
in the Policy Store which leads to raise in the amount of agent
commands and Policy Server reports error :

  [6528/1184][Fri Jun 26 2020
  15:22:30][SmPolicyServer.cpp:1883][ERROR][sm-Server-00620] Exception
  in JournalThread. Text: Policy store failed operation 'CleanAgentCmds'
  for object type 'Policy store provider'. LDAP Error Deleting
  AgentCommand object: 32: No such object

We needed to clean all AgentCommands manually. How can we prevent this
to happen ?

 

Cause

 

The issue comes from a duplicated agent command object object :

  smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:6126a9af-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com

  dn: smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:6126a9a
   f-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com
  objectClass: smAgentCommand4
  objectClass: top
  instanceType: 4
  objectCategory: CN=smAgentCommand4,CN=Schema,CN=Configuration,CN={ECEBF945-F
   74D-4442-WW144-1EB8C10D5527
  smAgentCommandOID4:: MTQtYTjMDFjMmQtOWDASDE8sETgxLWJmMTctZmQ0Y2JjN2Y4ODlmCkN
   ORjo2MTI2YTlhZi05YWZjLTRiYTgtODI5YS1iZjhiZTQ3YZmNzE=
  smCommand4: 4
  smTimeStamp4: 159340000
  distinguishedName: smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:
  6126a9af-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com

  dSCorePropagationData: 1601010100141100.0Z
  name:: MTQtYTljMDFjMmQtOWM3ZC00MTgsadsJmMTctZmQ0Y2JjN2Y4ODlmCkNORjo2MTI2YTlhZ
   i05YWZjLTRiYTgtODI5YS1iZjhiASDSADTZmNzE=
  objectGUID:: r6kmYfyaqEuCmr+as454pvcQ==
  smCommandData4: {RC2}0GpXaPg22dasDSSG8b8eg9BDLRpVY2IDsZ1V/NiizFzJVeShIZ9CKQN
   1GzSTaW+8rA5GTnEmCcU9pYMT1duRMJOH8hrvdASD414dJZJGe+VtGsjSe5/Y/VGIAfaVPQCBjZ
   RLbDsWJ9GyqLbSXYe9zCA5M0j5IcxUuqAgjCoJ4n8=
  uSNChanged: 762445608
  uSNCreated: 762244131
  whenChanged: 20200530001741.0Z
  whenCreated: 20200530001545.0Z

This is due to know internal ADLDS (AD) processing problem :

  Active Directory: Duplicate Object Name Resolution
  https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx

We've analysed the .ldif file and we've found no corruption, which
means that duplicate data seems to come from replication issue or
problem with the ldap service itself.

 

Environment

 

Policy Store on Active Directory and ADLDS;

 

Resolution

 

Investigate the LDAP service replication and run time to understand
the cause of the duplicated object.

1. For environment tuning and implementation, please refer to
   documentation here :
 
   Data Tier Performance
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/implementing/implementing-ca-single-sign-on/performance-tuning/data-tier-performance.html

   and for the all environment :

   Performance Tuning
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/implementing/implementing-ca-single-sign-on/performance-tuning.html

2. No version of Policy Server will be able to handle duplicated
   objects in Policy Store as they are unexpected;

   You have to investigate the ADLDS service and the replication
   between both instances.