Siteminder Modules are loaded with an un-configured IIS website

book

Article ID: 33281

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

IIS 7.x webserver hosts multiple websites, some are configured with Siteminder web agent and some are not, each website has its respective application pool.  When user attempts to access IIS website that is not configured with Siteminder web agent, they observed that LLAWP is initializing and the following warning is logged in Event Viewer application log:

 

Siteminder Web Agent not having write permission on host configuration file. Shared secret roll-over may not be supported. Permission denied. Please assign write permission to the user IUSR2 for the file C:\CA\webagent\win64\config\SmHost.conf”

 

IUSR2 user identity associates with the application pool of the website that is not configured with Siteminder web agent.


Cause:

With IIS 7.x, Web Agent is getting initialized at global module level and IIS global level functions are used. Hence, Siteminder Low-Level agent worker process (LLAWP) is invoked with the w3wp process.


Workaround:

Ensure that all application pool identity has read, write permissions to WebAgent.conf, SmHost.conf and Siteminder Web Agent log files.

 

Additional Information:

Web Agent Initialization logic is moved to local HTTP Module. Therefore, LLAWP will only get initialized with configured website.

Tentatively, the change will be addressed with following Siteminder Web Agent releases:

  •        R12.5 CR5
  •        R12.52 SP1 CR4
  •        R12.52 SP2

 

Environment

Release: SOASMU99000-12.5-SOA Security Manager-Upgrade
Component: