12.6 XPSSweeper integrity check tool reports error that can not be fixed automatically.

book

Article ID: 4925

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When running : XPSSweeper -a -changeset Changesetfile.txt -report Reportfile.txt 

Getting the following in a Report text file without a changset file, due that - as report says- these errors cannot fix automatically.

Now, we have 4 errors belong to the same nature (federation):

[..]

1) [sm-xpsxps-03233] Required attribute CA.SM::SAMLv2IdP.Name is not set.

Object ID: CA.SM::[email protected]

Object Name: FedName

Object Path: AuthScheme[FedName] / SAMLv2IdP[FedName]

Object Description:

Fix Information: Automatic fix currently not available.

[..]

 

And another error is

5) [sm-xobsm-00480] Directory Server="E:\Program": Port "\Program" must be an integer in the range 1-65535.

Object ID: CA.SM::[email protected]

Object Name: FedDir

Object Path: UserDirectory[FedDir]

Object Description:

Fix Information: Automatic fix currently not available. 

 

Cause

This issue is due to a small defect in the validation logic for userdirectory objects.  

The logic for checking the contents of the server attribute doesn't take into account the differences between the AD:, LDAP:,Custom: and ODBC: namespaces. 

The same server attribute is overwritten to represent ip addresses for LDAP: and AD:, DSN Names for ODBC: and filenames for Custom:. 

Luckily, the same validation logic applied to all namespaces doesn't usually cause a validation failure. 

However when the validation logic sees a ":" in the server field it expects a number to follow the ":". 

In the case of this defect, the customer has provided a full windows filespec for the userdirectory server attribute including the drive letter followed by ":".

Environment

Policy Server : R12.6, on Win2012 R2Policy Store : CA Directory R12 SP18AdminUI : R12.6, on Win2012 R2

Resolution

There is a workaround for this issue. The server field for the "FedDir" userdirectory object should be changed from "E:\Program Files (x86)\CA\siteminder\bin\smdirapi_all.dll" to "smdirapi_all.dll". 

The new string should pass validation and the DLL should be found during runtime if it is located in siteminder\bin.q