Policy Store Replication is working but not reflected in WAM UI

book

Article ID: 195418

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Policy Store replication is working fine. Any objects created on PS1 is populated in the policy store and replicated to other policy stores.

But when I protect a resource in PS1 AdminUI, it is enforced in PS1 but is not on PS2.

Some created objects do not appear on the AdminUI.

Agents are not picking up the ACO changes or realm changes.

Cause

Time synchronization issue.

(In case of CA Directory, modify-on-add is missing in the configuraation)

Environment

Release : 12.8.03

Component : SITEMINDER - Policy Server

Resolution

1) Make sure the policy servers are synced to a time server. In fact, all siteminder and 3rd party components involved must be in time sync.

2) Increase the Policy Server registry setting MaxTimeDeltaBetweenServers. On linux this is in the sm.registry file. It is difficult to make a recommendation because this is entirely dependent on the time sync and network latency which are outside of the control of siteminder, but maybe start with 30 seconds. You need to restart the policy server after making this change. This registry is just adding more tolerance but having time synchronized is more important.

See the links below for an explanation:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/troubleshooting/policy-server-troubleshooting.html#concept.dita_4ef5c74b37b40cf964708a51a4e44a83bb5e4f34_PolicyServersSharingPolicyStoreNotUpdatedConsistently

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration-files/list-of-policy-server-registry-keys.html

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=752962#bme5d60278-1a75-4cb8-abc7-e68314bfbc71

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=050d4298-23db-4607-af6d-e6626917b773&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bm050d4298-23db-4607-af6d-e6626917b773

 

Also, for CA Directory, "set modify-on-add = true" in the directory configuration for both directories.