The goals is to be able to login with "siteminder" super user in both AdminUI’s. When having 2 AdminUI’s registered with "siteminder", it’s known that siteminder can be only used to login on 1 AdminUI (1).

At the end of the procedure, the following result should be seen:

Both Policy Servers share the same Policy Store:

ps.example.com

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=123262470
AdminDN=                cn=admin,dc=example,dc=com;    REG_SZ
PSRootDN=                  dc=example,dc=com;  REG_SZ
Server=                   192.168.1.1:389;  REG_SZ

ps.example.net

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=123262470
AdminDN=                cn=admin,dc=example,dc=com;    REG_SZ
PSRootDN=                  dc=example,dc=com;  REG_SZ
Server=                   192.168.1.1:389;  REG_SZ2

Additional administrators have been created:

AdminUI on ps.example.com has been registered with "adminuione";
AdminUI on ps.example.net has been registered with "adminuitwo".

First login in both AdminUI have been done with "adminuione" on ps.example.com and "adminuitwo" on ps.example.net.

The result is that "siteminder" super user can log in in both AdminUI’s at the same time.

  AdminUI 12.8SP7 on RedHat;
  Policy Server 12.8SP7 on RedHat;

To implement this, remove all existing administrator data except the siteminder one, create 2 new legacy administrators, register both AdminUI’s with each of the new legacy administrators, and finally login in both AdminUI’s with "siteminder" super user.

IMPORTANT: Ensure to have a full backup of the environment before doing this. Backup includes Policy Store data, AdminUI and Policy Server installed files folders.

1. Confirm that both Policy Servers share the same Policy Store;
2. Find the AdminUI that is still accessible with "siteminder" super user; this will be the First AdminUI and First Policy Server mentioned in this procedure;
3. Access the First AdminUI with "siteminder" super user;
4. Delete all legacy administrators except the "siteminder" one;
5. Sign off the AdminUI;
6. Stop each of the AdminUI’s;
7. On each of the AdminUI’s, remove the data folder, empty the log and tmp folders:
   
   On Linux machine:
   
   # cd /{home_adminui}/standalone
   # rm -rf data
   # cd log
   # rm -f *
   # cd ../tmp
   # rm -rf *
   # cd ..
   # ls -l
   should not show data folder
   # cd log
   # ls -l
   should not show file
   # cd ../tmp
   # ls -l
   should not show file
   
   
8. On the First Policy Server, run the XPSExplorer and remove the trusted hosts created from XPSRegClient for both AdminUI’s:
   
   # XPSExplorer
   
   Enter Option (#,F,B,X,P, or Q): 168
Enter Option (ALNFSQ): S

3-CA.SM::TrustedHost@24-xpsagent-<...>

(I) Name  : "ps.example.net__0"
(C) Desc  : "Generated by XPSRegClient"

6-CA.SM::TrustedHost@24-xpsagent-<...>

(I) Name  : "ps.example.com__0"
(C) Desc  : "Generated by XPSRegClient"

8-CA.SM::TrustedHost@24-xpsagent-<...>

(I) Name  : "ps.example.com__1"
(C) Desc  : "Generated by XPSRegClient"

Enter Option (#, +, -, B, X, Y, M, Q): 3
Enter Option (MJLRPWDAX+Q): D

DELETE SUCCESS.

Enter Option (#, +, -, B, X, Y, M, Q): 6
Enter Option (MJLRPWDAX+Q): D

DELETE SUCCESS.

Enter Option (#, +, -, B, X, Y, M, Q): 8
Enter Option (MJLRPWDAX+Q): D

DELETE SUCCESS.

Enter Option (#, +, -, B, X, Y, M, Q): Q
Enter Option (ALNFSQ): Q
Enter Option (#,F,B,X,P, or Q): P
Enter Option (#,F,B,X,P, or Q): Q
   
   
9. Run the XPSSecurity command and remove all SM-ADMIN-DIRECTORY objects
   
   # XPSSecurity
   
   Enter Option (A,S,C,W,B,P or Q): A

2 - SiteMinder Administrative UI Directory User

SM-ADMIN-DIRECTORY
Used by the UI for authenticating administrators

3 - SMWAMUI:ps.example.com__0 [Legacy]
SM://<...>/SMWAMUI:ps.example.com__0

4 - SMWAMUI:ps.example.com__1 [Legacy]
SM://<...>/SMWAMUI:ps.example.com__1

5 - SMWAMUI:ps.example.net__0 [Legacy]
SM://<...>/SMWAMUI:ps.example.net__0

Enter Option (#NA or Q): 2
Enter Option (# or BVUDRAQ): D

DELETE SUCCESS.

2 - SMWAMUI:ps.example.com__0 [Legacy]
SM://<...>/SMWAMUI:ps.example.com__0

3 - SMWAMUI:ps.example.com__1 [Legacy]
SM://<...>/SMWAMUI:ps.example.com__1

4 - SMWAMUI:ps.example.net__0 [Legacy]
SM://<...>/SMWAMUI:ps.example.net__0

Enter Option (#NA or Q): Q
Enter Option (A,S,C,W,B,P or Q): P
Enter Option (A,S,C,W,B,P or Q): Q
   
   
10. On the First AdminUI’s where you ran the command above, start it:
    
    For instance, here, it's the ps.example.com First AdminUI and First Policy Server. Register first this one with the "siteminder" account.
    
    In a separate command line:
    
    # cd /{home_adminui}/bin
    # ./standalone.sh
    
    Once the First AdminUI is fully up and running, showing this line (that can be seen in server.log too):
    
    10:34:09,813 INFO  [ims.Main] * Startup Step 30 : Attempting to start ApplicationContextInitializer plug-ins
10:34:09,867 INFO  [ims.Main] ---- CA IAM FW Startup Sequence Complete. ----
    
    
11. In the First Policy Server command line, on the same machine as this First AdminUI, run the following command:
    
    # XPSRegClient siteminder:<password> -adminui-setup -vT
    
    (INFO) : [sm-xobfed-02577] Successfully loaded smobjadapter.
Preparing registration information, please wait...
Processing complete. Thank you for waiting.
    
    
12. Then access the First AdminUI and login with "siteminder" super user;
    
    c:\> start /B firefox http://ps.example.com:8080/iam/siteminder/adminui
    
    Username: siteminder
    Password: <password>
    Server: ps.example.com
    
    And wait until the browser shows the page in the AdminUI. If it ends with an error, close the browser, go to the same page and login again. 
    
    
13. Once logged in:
    
    Click Administration;
    Click Administrator;
    Click Legacy Administrators;
    Click "Create Legacy Administrator";
    Click OK;
    
    In the Name field, write "adminuione";
    
    Check "CA Single Sign-On Database";
    
    In the Password field, write a password;
    In the Confirm Password field, write the same password as above;
    
    Check System;
    Check Priviledges:
    
    Manage System and Domain Objects
Manage Users
Manage Keys and Password Policies
Register Trusted Hosts
    
    
14. Repeat that step #13 to create "adminuitwo" legacy administrator super user;
    
    
15. Once having both Legacy Administrators "adminuione" and "adminuitwo" created, re-register again the same First AdminUI with the user "adminuione":
    
    Stop the AdminUI;
    On the AdminUI, remove the data folder, empty the log and tmp folders;
    
    # cd /{home_adminui}/standalone
    # rm -rf data
    # cd log
    # rm -f *
    # cd ../tmp
    # rm -rf *
    # cd ..
    # ls -l
    should not show data folder
    # cd log
    # ls -l
    should not show file
    # cd ../tmp
    # ls -l
    should not show file
    
    
16. Start the First AdminUI:
    
    # cd ../../bin
    # ./standalone.sh
    
    Wait until the First AdminUI is fully up and running, showing this line:
    
    10:55:14,144 INFO  [ims.Main] * Startup Step 30 : Attempting to start ApplicationContextInitializer plug-ins
10:55:14,216 INFO  [ims.Main] ---- CA IAM FW Startup Sequence Complete. ----
    
    
17. In the First Policy Server console on the same machine, run the following command:
    
    # XPSRegClient adminuione:<password> -adminui-setup -vT
    
    (INFO) : [sm-xobfed-02577] Successfully loaded smobjadapter.
Preparing registration information, please wait...
Processing complete. Thank you for waiting.
    
    
18. Then access the First AdminUI and login with "adminuione" super user;
    
    c:\> start /B firefox http://ps.example.com:8080/iam/siteminder/adminui
    
    Username: adminuione
    Password: <password>
    Server: ps.example.com
    
    And wait until the browser shows the page in the First AdminUI. If it ends with an error, close the browser, go to the same page and login again. 
    
    
19. Go to the Second AdminUI machine;
20. Stop the Second Policy Server;
21. Start the Second Policy Server;
    
    Ensure the Second Policy Server is fully started. You should see in the smps.log the following line:
    
    [3388/5920][Fri Sep 08 2023 11:43:12.461][SmPolicyServer.cpp:2036][INFO][sm-Server-00870] Journaling thread started, will delete commands older than 60  minutes
    
    
22. Ensure that the Second AdminUI data folder is removed, the tmp and log folders are emptied;
23. Start the Second AdminUI;
    
    Wait until you see the following line in the server.log:
    
    2023-09-08 11:27:08,277 INFO  [ims.Main] (ServerService Thread Pool -- 103) * Startup Step 30 : Attempting to start ApplicationContextInitializer plug-ins
2023-09-08 11:27:08,308 INFO  [ims.Main] (ServerService Thread Pool -- 103) ---- CA IAM FW Startup Sequence Complete. ----
    
    
24. Open a command line and run the command on the same machine hosting this Second AdminUI and the Second Policy Server:
    
    # XPSRegClient adminuitwo:<password> -adminui-setup -vT
    
    (INFO) : [sm-xobfed-02577] Successfully loaded smobjadapter.
Preparing registration information, please wait...
Processing complete. Thank you for waiting.
    
    
25. Then access this Second AdminUI and login with "adminuitwo" super user;
    
    c:\> start /B firefox http://ps.example.net:8080/iam/siteminder/adminui
    
    Username: adminuitwo
    Password: <password>
    Server: ps.example.net
    
    And wait until the browser shows the page in the AdminUI. If it ends with an error, close the browser, go to the same page and login again.
    
    
26. Log off both AdminUI's by clicking on "Sign out" link;
27. On each of the AdminUI’s, click on "Log in to the SiteMinder environment.";
28. On each of the AdminUI’s, log in using:
    
    Username: siteminder
    Password: password
    
    You'll be logged as "siteminder" now in both AdminUI’s.

1. https://knowledge.broadcom.com/external/article?articleId=74830