search cancel

Error: Username and password do not match

book

Article ID: 42228

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Policy Server Administrative UI (AdminUI or WAM UI) login failed with

  "Error: Username and password do not match"

message. User was able to login with the same credentials earlier.

 

Cause

 

There is no error/warning message logged in any of the log files but
the authentication process took too long to complete. Low entropy
count was found to be the cause of this issue.

 

Environment

 

AdminUI all versions on Linux

 

Resolution

 

As per the documentation (1) the most used one is rngd deamon as it
allows to start the deamon at boot time and insure that even after
system reboot, entropy pool is big enough.

To get this deamon on RedHat 7 systems, you need to install the
following package :

  rng-tools-6.3.1-5.el7.x86_64 (RedHat 7)
  rng-tools-6.8-3.el8.x86_64 (RedHat 8)

  (yum install rng-tools)
No specific configuration is needed, the out of the box one is
sufficient when you configure it as a service.
  
In order to get it started at boot time as service, then you should
enable it and start it on RedHat 7 and 8 :
  
  # systemctl enable rngd
  # systemctl start rngd
  # systemctl status rngd

    rngd.service - Hardware RNG Entropy Gatherer Daemon
      Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
      Active: active (running) since Thu 2021-05-06 12:46:56 CEST; 50s ago
    Main PID: 11062 (rngd)
       Tasks: 1
      CGroup: /system.slice/rngd.service
       └─11062 /sbin/rngd -f

On other Linux systems, you may be able to start manually the deamon
that way as per documentation (1):

  # rngd -r /dev/urandom -o /dev/random -b

Finally, use the following command to monitor the entropy (2):

  # watch -n 1 cat /proc/sys/kernel/random/entropy_avail

 

Additional Information

 

(1)

    Prepare for the Policy Server Installation

      Good security and not FIPS compliant: Configure the rngd daemon to
      populate /dev/random. Execute the following command:

      rngd -r /dev/urandom -o /dev/random -b

      Third-party alternatives to the rngd entropy daemon are also
      available.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-a-policy-server/install-policy-server-on-unix/prepare-for-the-policy-server-installation.html#PrepareforthePolicyServerInstallation-IncreaseEntropy

(2)

   Increase Entropy

     To monitor the entropy on the system, execute the following
     command:

     watch -n 1 cat /proc/sys/kernel/random/entropy_avail
   
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-a-policy-server/install-policy-server-on-unix/prepare-for-the-policy-server-installation.html#PrepareforthePolicyServerInstallation-IncreaseEntropy