Agent command object corruption

Article Id: 194825
Status: Published
Updated On: 10-07-2020 09:21
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On Agents (SiteMinder) , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER
Issue/Introduction:

 

We're running a Policy Server and sometime a corrupted object appears
in the Policy Store which leads to raise in the amount of agent
commands and Policy Server reports error :

  [6528/1184][Fri Jun 26 2020
  15:22:30][SmPolicyServer.cpp:1883][ERROR][sm-Server-00620] Exception
  in JournalThread. Text: Policy store failed operation 'CleanAgentCmds'
  for object type 'Policy store provider'. LDAP Error Deleting
  AgentCommand object: 32: No such object

We needed to clean all AgentCommands manually. How can we prevent this
to happen ?

 

Cause:

 

The issue comes from a duplicated agent command object object :

  smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:6126a9af-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com

  dn: smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:6126a9a
   f-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com
  objectClass: smAgentCommand4
  objectClass: top
  instanceType: 4
  objectCategory: CN=smAgentCommand4,CN=Schema,CN=Configuration,CN={ECEBF945-F
   74D-4442-WW144-1EB8C10D5527
  smAgentCommandOID4:: MTQtYTjMDFjMmQtOWDASDE8sETgxLWJmMTctZmQ0Y2JjN2Y4ODlmCkN
   ORjo2MTI2YTlhZi05YWZjLTRiYTgtODI5YS1iZjhiZTQ3YZmNzE=
  smCommand4: 4
  smTimeStamp4: 159340000
  distinguishedName: smAgentCommandOID4=14-a9c01c2d-9c7d-4444-bf17-fd4cbc7f889f\0ACNF:
  6126a9af-9afc-4ba8-829a-s4ebew4s6f71,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,dc=training,dc=com

  dSCorePropagationData: 1601010100141100.0Z
  name:: MTQtYTljMDFjMmQtOWM3ZC00MTgsadsJmMTctZmQ0Y2JjN2Y4ODlmCkNORjo2MTI2YTlhZ
   i05YWZjLTRiYTgtODI5YS1iZjhiASDSADTZmNzE=
  objectGUID:: r6kmYfyaqEuCmr+as454pvcQ==
  smCommandData4: {RC2}0GpXaPg22dasDSSG8b8eg9BDLRpVY2IDsZ1V/NiizFzJVeShIZ9CKQN
   1GzSTaW+8rA5GTnEmCcU9pYMT1duRMJOH8hrvdASD414dJZJGe+VtGsjSe5/Y/VGIAfaVPQCBjZ
   RLbDsWJ9GyqLbSXYe9zCA5M0j5IcxUuqAgjCoJ4n8=
  uSNChanged: 762445608
  uSNCreated: 762244131
  whenChanged: 20200530001741.0Z
  whenCreated: 20200530001545.0Z

This is due to know internal ADLDS (AD) processing problem :

  Active Directory: Duplicate Object Name Resolution
  https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx

We've analysed the .ldif file and we've found no corruption, which
means that duplicate data seems to come from replication issue or
problem with the ldap service itself.

 

Environment:

 

Policy Store on Active Directory and ADLDS;

 

Resolution:

 

Investigate the LDAP service replication and run time to understand
the cause of the duplicated object.

1. For environment tuning and implementation, please refer to
   documentation here :
 
   Data Tier Performance
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/implementing/implementing-ca-single-sign-on/performance-tuning/data-tier-performance.html

   and for the all environment :

   Performance Tuning
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/implementing/implementing-ca-single-sign-on/performance-tuning.html

2. No version of Policy Server will be able to handle duplicated
   objects in Policy Store as they are unexpected;

   You have to investigate the ADLDS service and the replication
   between both instances.